Vulnerability DatabaseCVE-2024-4023

CVE-2024-4023:
FlatPress vulnerability analysis and mitigation

Overview

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. The vulnerability was discovered and reported through huntr.dev platform, and has been assigned CVE-2024-4023. The issue affects the file upload functionality when handling files with .xsig extension (NVD, CVE).

Technical details

The vulnerability occurs when a user uploads a file with a .xsig extension and directly accesses this file. The server responds with a Content-type of application/octet-stream, which leads to the file being processed as an HTML file. This misconfiguration allows for potential execution of arbitrary JavaScript code. The vulnerability has been assigned a CVSS v3.0 base score of 8.1 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H (NVD).

Impact

The vulnerability allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin. This poses a significant security risk as it could lead to unauthorized access to sensitive information and potential account compromise (NVD).

Mitigation and workarounds

A fix has been implemented that prevents the upload of files with .xsig extension. The patch can be found in the GitHub commit 3c9cc69364a45fd3f92d4bd606344b5dd1205d6a (GitHub Commit).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

8.1

Score

Published March 20, 2025

Severity HIGH

CNA Score 8.1

Affected Technologies

FlatPress

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 36.4

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

cpe:2.3:a:flatpress:flatpress

Sources

VulnCheck NVD++
- Linux Severity HIGHHas FixAdded at: Mar 23, 2025
- Windows Severity HIGHHas FixAdded at: Mar 23, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Jun 26, 2025
- Windows Severity HIGHHas FixAdded at: Jun 26, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related FlatPress vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-4023	HIGH	8.1	FlatPress	cpe:2.3:a:flatpress:flatpress	No	Yes	Mar 20, 2025
CVE-2024-9847	HIGH	8	FlatPress	cpe:2.3:a:flatpress:flatpress	No	Yes	Mar 20, 2025
CVE-2025-29602	MEDIUM	6.1	FlatPress	cpe:2.3:a:flatpress:flatpress	No	Yes	May 07, 2025
CVE-2024-9699	MEDIUM	5.4	FlatPress	cpe:2.3:a:flatpress:flatpress	No	Yes	Mar 20, 2025
CVE-2025-44108	MEDIUM	4.8	FlatPress	cpe:2.3:a:flatpress:flatpress	No	Yes	May 19, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-4023: FlatPress vulnerability analysis and mitigation