Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. It allows remote attackers to send an authenticated post HTTP request to admin/config and inject arbitrary web script or HTML through a special website name.
AnalysisAI
The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The "blog title" field in the "Settings" menu "config" page of "dashboard" in htmly 2.8.1 has a storage cross site scripting (XSS) vulnerability. It allows remote attackers to send an authenticated post HTTP request to admin/config and inject arbitrary web script or HTML through a special website name. Affected products include: Htmly.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
In htmly version 2.8.1, is vulnerable to an Arbitrary File Deletion on the local host when delete backup files. Rated cr
Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-s
A stored cross-site scripting (XSS) vulnerability in Htmly v2.9.5 allows attackers to execute arbitrary web scripts or H
The "content" field in the "regular post" page of the "add content" menu under "dashboard" in htmly 2.8.1 has a storage
Multiple cross-site scripting (XSS) vulnerabilities in HTMLy 2.7.4 allow remote attackers to inject arbitrary web script
A cross-site scripting (XSS) vulnerability in Htmly v2.8.1 allows attackers to excute arbitrary web scripts HTML via a c
A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profil
htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php. Rated medium severity (CVS
htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.
htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The
Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitra
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today