CVE-2025-44108

{"id": "CVE-2025-44108", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2025-05-19T14:15:24.340", "references": [{"url": "https://github.com/flatpressblog/flatpress/commit/24a6feacf1747ec19725b52c097715c8ab9c4559", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/flatpressblog/flatpress/releases/tag/1.3.1", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/flatpressblog/flatpress/releases/tag/1.4.rc2", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://harish0x.github.io/blog/CVE-2025-44108", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://harish0x.github.io/blog/CVE-2025-44108", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el panel de administraci\u00f3n de Flatpress CMS (versi\u00f3n anterior a la 1.4) a trav\u00e9s del componente de subt\u00edtulos de la galer\u00eda. Un atacante con privilegios de administrador puede inyectar un payload de JavaScript maliciosa en el sistema, que posteriormente se almacena de forma persistente."}], "lastModified": "2025-06-12T16:26:10.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA4D125F-CD88-4951-8066-05871F2E4EDD", "versionEndExcluding": "1.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}