Coleak2021

**Name of the Vulnerable Software and Affected Versions** flaskBlog version 2.6.1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `postContent` parameter at the "/createpost" API endpoint. **Recommendations** For flaskBlog version 2.6.1, consider disabling the `postContent` parameter in the "/createpost" API endpoint until a patch is available. Restrict access to the "/createpost" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** laskBlog version 2.6.1 **Description** The issue is related to incorrect access control, allowing attackers to delete user accounts arbitrarily via a crafted request. **Recommendations** For laskBlog version 2.6.1, consider restricting access to the user account deletion functionality until a patch is available. As a temporary workaround, review and monitor all account deletion requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** laskBlog version 2.6.1 **Description** The issue allows attackers to bypass access controls and obtain all usernames by providing a specially crafted input. **Recommendations** For laskBlog version 2.6.1, consider restricting access to sensitive user information until a patch is available. As a temporary workaround, review and strengthen input validation to prevent crafted inputs from exploiting the access control weakness.

**Name of the Vulnerable Software and Affected Versions** flaskBlog version 2.6.1 **Description** The issue allows attackers to delete article titles created by other users by supplying a crafted POST request to the "/post/{postTitle}" component. **Recommendations** For flaskBlog version 2.6.1, consider restricting access to the "/post/{postTitle}" component until a patch is available. As a temporary workaround, avoid using the `postTitle` variable in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ppress version 0.0.9 **Description** A stored Cross-Site Scripting vulnerability in the "related recommendations" feature allows a remote attacker to execute arbitrary code via a crafted script to the `article.title`, `article.category`, and `article.tags` parameters. **Recommendations** For Ppress version 0.0.9, as a temporary workaround, consider disabling the "related recommendations" feature until a patch is available. Restrict access to the `article.title`, `article.category`, and `article.tags` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.