Bludit
Monthly
Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.
Reflected cross-site scripting in Bludit CMS search plugin allows unauthenticated attackers to inject arbitrary JavaScript through malicious search queries. When users visit attacker-crafted URLs containing the XSS payload, malicious scripts execute in their browsers, enabling session cookie theft and actions performed on behalf of victims. Publicly available exploit code exists; patch available via commit 6732dde.
Stored XSS in Bludit page creation functionality allows authenticated users with author privileges or higher to inject malicious JavaScript via the tags field, executing arbitrary code in victims' browsers when they access the affected page. Bludit versions 3.17.2 and 3.18.0 are confirmed vulnerable; the vendor did not respond with remediation details or clarify the full version range affected. This vulnerability poses moderate immediate risk (CVSS 5.1) but carries elevated concern because injected scripts could escalate privileges to administrator level if the victim has sufficient permissions, and the malicious resource is accessible without authentication.
Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.
Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.
Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.
Bludit 3.16.1 lacks CSRF protections on administrative endpoints, allowing attackers to trick authenticated admins into uninstalling plugins or installing malicious themes via crafted web requests. Public exploit code exists for this vulnerability, enabling unauthorized modification of site functionality and potential code execution through untrusted theme installation.
Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.
Reflected cross-site scripting in Bludit CMS search plugin allows unauthenticated attackers to inject arbitrary JavaScript through malicious search queries. When users visit attacker-crafted URLs containing the XSS payload, malicious scripts execute in their browsers, enabling session cookie theft and actions performed on behalf of victims. Publicly available exploit code exists; patch available via commit 6732dde.
Stored XSS in Bludit page creation functionality allows authenticated users with author privileges or higher to inject malicious JavaScript via the tags field, executing arbitrary code in victims' browsers when they access the affected page. Bludit versions 3.17.2 and 3.18.0 are confirmed vulnerable; the vendor did not respond with remediation details or clarify the full version range affected. This vulnerability poses moderate immediate risk (CVSS 5.1) but carries elevated concern because injected scripts could escalate privileges to administrator level if the victim has sufficient permissions, and the malicious resource is accessible without authentication.
Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.
Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.
Stored XSS in Bludit 3.16.2 allows authenticated users to inject malicious JavaScript into post content that executes when viewed by other users, enabling session hijacking and credential theft. The vulnerability exists because the application relies solely on client-side input validation while failing to sanitize or encode content server-side. Public exploit code is available, though no patch has been released yet.
Bludit 3.16.1 lacks CSRF protections on administrative endpoints, allowing attackers to trick authenticated admins into uninstalling plugins or installing malicious themes via crafted web requests. Public exploit code exists for this vulnerability, enabling unauthorized modification of site functionality and potential code execution through untrusted theme installation.