Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple Stored Cross-Site Scripting (XSS) vulnerabilities on Flatboard Pro Flatboard

Posted date 03/07/2025
Identificador
INCIBE-2025-0355
Importance
3 - Medium
Affected Resources

Flatboard, versions prior to 3.2.2.

Description

INCIBE has coordinated the publication of 2 vulnerabilities of medium severity, affecting Flatboard from Flatboard Pro, a fast and lightweight software for plain text file forums. The vulnerabilities have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-40722 and CVE-2025-40723: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The vulnerability has been fixed by the Flatboard Pro team in version 3.2.2.

Detail

Stored Cross-Site Scripting (XSS) vulnerabilities in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input. The list of assigned parameters and identifiers is as follows:

  • CVE-2025-40722: replace parameter in /config.php/tags.
  • CVE-2025-40723: footer_text and announcement parameters in config.php.
References list
Flatboard - Manufacturer's website
Etiquetas