Zhyd Oneblog

OneBlog <2.3.9 SSRF via RestApiController.autoLink(remote)
CVE-2025-2835 4.3 - Medium - March 27, 2025

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

SSRF

ReDoS via X-Forwarded-For in zhangyd-c OneBlog HTTP Header Handler <2.3.9
CVE-2025-2833 5.3 - Medium - March 27, 2025

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been classified as problematic. Affected is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Resource Exhaustion

OneBlog 2.3.6 template injection via template manager
CVE-2024-54954 - February 10, 2025

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department.

Stored XSS in OneBlog v2.3.4 Privilege Management (CVE-2024-29472)
CVE-2024-29472 5.4 - Medium - March 20, 2024

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module.

XSS

OneBlog v2.3.4 XSS via Notice Manage module
CVE-2024-29471 5.4 - Medium - March 20, 2024

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notice Manage module.

XSS

OneBlog v2.3.4 Stored XSS via User Mgmt
CVE-2024-29474 - March 20, 2024

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module.

OneBlog v2.3.4 Stored XSS via /links Component
CVE-2024-29470 - March 20, 2024

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component {{rootpath}}/links.

Stored XSS in OneBlog 2.3.4 Category List parameter (Lab)
CVE-2024-29469 - March 20, 2024

A stored cross-site scripting (XSS) vulnerability in OneBlog v2.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category List parameter under the Lab module.

OneBlog 2.3.4 stored XSS via Role Management
CVE-2024-29473 6.1 - Medium - March 20, 2024

OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Role Management module.

XSS

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability
CVE-2022-34013 4.3 - Medium - June 23, 2022

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module.

SSRF

Insecure permissions in OneBlog v2.3.4
CVE-2022-34012 6.5 - Medium - June 23, 2022

Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges.

Incorrect Permission Assignment for Critical Resource

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability
CVE-2022-34011 4.3 - Medium - June 23, 2022

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls.

SSRF