CVE-2021-36703

Name of the Vulnerable Software and Affected Versions htmly version 2.8.1

Description The issue concerns a storage cross site scripting (XSS) vulnerability in the "blog title" field of the "Settings" menu "config" page in the "dashboard". This vulnerability allows remote attackers to send an authenticated POST HTTP request to the "admin/config" endpoint and inject arbitrary web script or HTML through a special website name.

Recommendations For htmly version 2.8.1, consider restricting access to the "admin/config" endpoint until a patch is available. As a temporary workaround, avoid using the "blog title" field in the "Settings" menu "config" page of the "dashboard" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.