Admin Member JSON Update Store XSS vulnerable

[hacker625]

Test it on version 4.2.1.

First login the panel with user credential, Go to member tag from left menu.

http://localhost/panel/members/

Username, Full Name, Email are editable with double click on it. Insert the following payload

<img src=x onerror=alert(document.cookie)>

Xss alert are trigger.

Poc

Note. Script tag are filter in the input field. it is work at username
<img src="//www.gravatar.com/avatar/1667c96fb90d94769e72069d6cad71b6?s=100&amp;d=mm&amp;r=g" alt="<script>alert(1);</script>">

Poc 2

Please fix and filter all input tag.
Thank you.

[vbezruchkin]

Hi,

Can you explain what benefit it would be, if you already have admin access? Frontend input is properly sanitized, so why would admin need to use that line for user? I don't quite understand the idea.

Thanks