vendor:
HTMLy
by:
tmrswrr
5.1
CVSS
MEDIUM
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: HTMLy
Affected Version From: v2.9.6
Affected Version To: v2.9.6
Patch Exists: NO
Related CWE: CVE-2024-XXXX (not specified in the text)
CPE: a:htmly:htmly:2.9.6
Other Scripts:
https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/smb/ms17_010_eternalblue, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/smb/smb_enumshares, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_restws_unserialize, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/drupal_drupalgeddon2, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/thinkphp_rce, https://www.infosecmatter.com/top-25-penetration-testing-skills-and-competencies-detailed/, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/nscp_pe, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/gather/cloud_lookup, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684
Platforms Tested:
2024
HTMLy Version v2.9.6 – Stored XSS
The HTMLy version v2.9.6 is vulnerable to stored XSS. An attacker can inject malicious code into the 'Blog title' field, triggering a cross-site scripting attack. This could lead to unauthorized access to user sessions, defacement of the website, or theft of sensitive information.
Mitigation:
To mitigate this vulnerability, input validation should be implemented to sanitize user input and prevent the execution of scripts. Regular security audits and updates are also recommended.
