Dogukanurker

Flaskblog

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-55737

Exploit
  • EPSS 0.08%
  • Veröffentlicht 19.08.2025 19:06:15
  • Zuletzt bearbeitet 21.08.2025 18:40:41

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delet...

6.5

CVE-2025-55736

Exploit
  • EPSS 0.04%
  • Veröffentlicht 19.08.2025 19:04:00
  • Zuletzt bearbeitet 22.08.2025 20:56:14

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

5.4

CVE-2025-55735

Exploit
  • EPSS 0.03%
  • Veröffentlicht 19.08.2025 18:56:42
  • Zuletzt bearbeitet 22.08.2025 20:57:15

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | ...

6.5

CVE-2025-55734

Exploit
  • EPSS 0.05%
  • Veröffentlicht 19.08.2025 18:38:04
  • Zuletzt bearbeitet 22.08.2025 20:58:55

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role ...

5.4

CVE-2025-53631

  • EPSS 0.03%
  • Veröffentlicht 14.08.2025 15:26:32
  • Zuletzt bearbeitet 21.08.2025 21:29:29

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, ...

6.1

CVE-2025-28102

Exploit
  • EPSS 0.18%
  • Veröffentlicht 21.04.2025 17:15:23
  • Zuletzt bearbeitet 23.06.2025 13:09:59

A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.

6.4

CVE-2025-28103

  • EPSS 0.16%
  • Veröffentlicht 21.04.2025 00:00:00
  • Zuletzt bearbeitet 28.05.2025 15:49:20

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

9.1

CVE-2025-28104

Exploit
  • EPSS 0.29%
  • Veröffentlicht 21.04.2025 00:00:00
  • Zuletzt bearbeitet 28.05.2025 15:49:14

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.

6.5

CVE-2025-28101

Exploit
  • EPSS 0.2%
  • Veröffentlicht 17.04.2025 00:00:00
  • Zuletzt bearbeitet 23.04.2025 19:03:51

An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.

5.4

CVE-2024-22414

Exploit
  • EPSS 0.2%
  • Veröffentlicht 17.01.2024 21:15:12
  • Zuletzt bearbeitet 21.11.2024 08:56:14

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comm...