CVE-2017-14957

Name of the Vulnerable Software and Affected Versions BlogoText versions prior to 3.7.6

Description The issue allows an unauthenticated attacker to inject JavaScript via a comment in the inc/conv.php file. If the victim is an administrator, the attacker can change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog.

Recommendations For versions prior to 3.7.6, update to version 3.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the inc/conv.php file or disabling comments until a patch is available.