CVE-2025-28102 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-28102?

CVE-2025-28102 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to inject malicious scripts into blog posts via the postContent parameter. This affects all users running the vulnerable version of flaskBlog, potentially compromising visitors who view the malicious posts.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to inject malicious scripts into blog posts via the postContent parameter. This affects all users running the vulnerable version of flaskBlog, potentially compromising visitors who view the malicious posts.

💻 Affected Systems

Products:

flaskBlog

Versions: v2.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the /createpost endpoint when creating or editing posts.

📦 What is this software?

Flaskblog by Dogukanurker

View all CVEs affecting Flaskblog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware on visitor systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of blog content, or redirection to phishing sites.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or edit posts (typically authenticated). Proof-of-concept available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check GitHub repository for updates. 2. Apply input validation and output encoding. 3. Consider migrating to a maintained fork if available.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize postContent parameter

Implement HTML escaping in Flask templates using {{ content|safe }} only when content is trusted, or use libraries like bleach for sanitization

Content Security Policy

all

Implement CSP headers to restrict script execution

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP responses

🧯 If You Can't Patch

Disable post creation/editing functionality
Implement WAF rules to block XSS payloads in postContent parameter

🔍 How to Verify

Check if Vulnerable:

Test by creating a post with <script>alert('XSS')</script> in postContent and check if script executes when viewing post

Check Version:

Check flaskBlog version in application configuration or package metadata

Verify Fix Applied:

Repeat test with same payload; script should not execute and should be displayed as plain text

📡 Detection & Monitoring

Log Indicators:

Unusual post creation patterns
POST requests to /createpost with script tags or JavaScript in parameters

Network Indicators:

HTTP requests containing script tags in postContent parameter

SIEM Query:

source="web_logs" AND uri_path="/createpost" AND (postContent CONTAINS "<script>" OR postContent CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-28102

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (19.8th percentile)

Published: April 21, 2025

Last Updated: June 23, 2025

🔗 References

https://gist.github.com/coleak2021/edbd6e0766227ee96a7a4601e50773eb Third Party Advisory
https://github.com/DogukanUrker/flaskBlog/issues/130 Exploit,Issue Tracking
https://github.com/DogukanUrker/flaskBlog/issues/130 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28102, you might also want to check these: