langhsu Mblog Blog System Search Bar search cross site scripting

An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'kw' parameter. When a user visits this URL, the injected script will execute in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact can range from minor annoyance to complete account compromise, depending on the attacker's skill and the privileges of the affected user. Given the public disclosure of this vulnerability, it is likely that automated scanners are already attempting to exploit it.

Websites and applications using Mblog Blog System version 3.5.0 are at risk. Shared hosting environments are particularly vulnerable, as attackers may be able to exploit the vulnerability through other tenants on the same server. Users who frequently access the /search endpoint are also at higher risk.

• php / web:

curl -s -X GET 'http://your-mblog-system/search?kw=<script>alert(1)</script>' | grep -i alert

• generic web:

curl -s -X GET 'http://your-mblog-system/search?kw=<script>alert(1)</script>' | grep -i alert

1. 2025-01-09Disclosure

   disclosure

1. आरक्षित2025-01-08
2. प्रकाशित2025-01-09
3. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2024-13199 is to upgrade Mblog Blog System to version 3.5.1 or later, which contains the fix. If upgrading is not immediately possible, consider implementing input validation and output encoding on the /search endpoint to sanitize the 'kw' parameter. Web application firewalls (WAFs) can also be configured to block requests containing suspicious characters or patterns in the 'kw' parameter. After upgrading, verify the fix by attempting to inject a simple XSS payload into the /search endpoint and confirming that it is properly sanitized.