关联漏洞
介绍
# CVE-2025-29602 - Stored cross site scripting(XSS) vulnerabilities in the FlatPress CMS 1.3.1
## Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS 1.3.1. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently.
When a regular user visits the compromised page (e.g., a blog post), the injected payload executes automatically in the victim's browser.
## Affected product
- [Flatpress](https://www.flatpress.org/)
- Version : 1.3.1
- Component : Edit category
## ⚠️ Impact
- Steal session cookies.
- Phishing Attacks
- Remote Code Execution (via JavaScript)
- Redirect users to malicious sites.
## POC
```html
<iframe srcdoc=<svg/onload=alert&|par;1)>> :9
```
# Code area
[Flatpress github](https://github.com/flatpressblog/flatpress/commit/02a69013214a7d4c32b6b85aad7006b52acca329)
# Fixed Version
FlatPress 1.4 "Notturno" [link](https://www.flatpress.org/2025/01/20/flatpress-14-notturno-release-candidate-1-published/)
## CVE Assignment
- **CVE ID:** CVE-2025-29602
文件快照
[4.0K] /data/pocs/1ef4693365b9fbc6d3ea3939ef58aa213cd343a6
├── [790K] MC_IframeXSS.png
├── [1.5M] MC_Iframxss.png
├── [1.4K] README.md
└── [1.6M] Screenshot 2025-03-06 at 3.39.44 AM.png
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。