Closed
Description
Summary
An authenticated malicious user can take advantage of a XSS vulnerability in the "Modify Group" feature in Admin
Steps to Reproduce:
- Login into the Admin panel
- Go to '/backend/groups/index.php'
- Add group with name '">
- Save group.
Impact
Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.
Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.
Defacement - attacker can deface the website using javascript code.