Impact
Mixpost versions through 2.6.0 contain a reflected cross‑site scripting flaw that allows attackers who can craft a malicious OAuth callback URL to inject arbitrary JavaScript. The vulnerability arises because the application renders the OAuth error parameter without sanitization, passing it to a Vue-component that uses the standard v‑html directive and a Laravel flash message, thereby executing the script in the victim’s browser. Successful exploitation can hijack authenticated user sessions or trigger unauthorized actions.
Affected Systems
The affected product is Mixpost from inovector, specifically version 2.6.0 and any earlier releases that do not contain the fix. The issue is tied to the OAuth callback controller and its handling of error query parameters in those releases.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate impact. EPSS data is not available, so the likelihood of exploitation is uncertain but the advisory reports exploitability via crafted URLs that authenticated users will visit. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread proven exploitation yet, yet the potential for session hijacking or unauthorized actions warrants timely remediation.
OpenCVE Enrichment