Vulnerabilities > CVE-2024-22414 - Unspecified vulnerability in Dogukanurker Flaskblog

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

dogukanurker

NVD

Published: 2024-01-17

Updated: 2024-11-21

Summary

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div class="content" tag="content">{{comment[2]|safe}}</div>`. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the `|safe` tag from the HTML above. No fix is is available and users are advised to manually edit their installation.

Vulnerable Configurations

Part	Description	Count
Application	Dogukanurker Dogukanurker Flaskblog 1.0.0 Dogukanurker Flaskblog 1.0.1 Dogukanurker Flaskblog 1.0.2 Dogukanurker Flaskblog 1.0.3 Dogukanurker Flaskblog 1.0.4 Dogukanurker Flaskblog 1.0.5 Dogukanurker Flaskblog 1.0.6 Dogukanurker Flaskblog 1.0.7 Dogukanurker Flaskblog 1.0.8 Dogukanurker Flaskblog 1.0.9 Dogukanurker Flaskblog 1.1.0	11

Summary

Vulnerable Configurations

References