BlogEngine.NET icon indicating copy to clipboard operation
BlogEngine.NET copied to clipboard

Published 20 hours ago verified publisher icon BlogEngine

Cross-Site Scripting (XSS) in "/blogengine/api/posts"

Open tuando243 opened this issue 2 years ago • 0 comments

A Cross Site Scripting vulnerabilty exists in BlogEngine via the Description field in /blogengine/api/posts

Step to exploit:

  1. Login as admin.
  2. Navigate to http://127.0.0.1/blogengine/admin/#/content/posts and click on "NEW".
  3. Insert XSS payload <img src=1 onerror=alert('XSS')> in the "Description" field and click on SAVE, PUBLISH.
  4. Go to Home page.

1

2

3

tuando243 avatar Jul 20 '22 15:07 tuando243