{"id":"CVE-2024-9699","details":"A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev.","modified":"2026-04-10T05:20:35.672590Z","published":"2025-03-20T10:15:49.797Z","references":[{"type":"ADVISORY","url":"https://huntr.com/bounties/a993a05f-be50-4983-a44a-3bbff1ec00db"},{"type":"FIX","url":"https://github.com/flatpressblog/flatpress/commit/f364391085334a7eae02aa2320edd6de7466ec85"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flatpressblog/flatpress","events":[{"introduced":"0"},{"fixed":"aae1bea56a41d3a82d84ede83b7c25d9e947751b"},{"fixed":"f364391085334a7eae02aa2320edd6de7466ec85"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4"}]}}],"versions":["1.1","1.2","1.2.1","1.2.beta1","1.2.beta2","1.3","1.3.beta1","1.3.rc1","1.4.rc1","1.4.rc2","v1.0.2","v1.0.3","v1.0.3.php7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9699.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}