Skip to content
This repository has been archived by the owner on Jul 22, 2020. It is now read-only.

Another stored XSS in Full name field of ClipperCMS 1.3.3 #491

Open
Chakvai opened this issue Jul 11, 2018 · 0 comments
Open

Another stored XSS in Full name field of ClipperCMS 1.3.3 #491

Chakvai opened this issue Jul 11, 2018 · 0 comments

Comments

@Chakvai
Copy link

Chakvai commented Jul 11, 2018

Hello

I still found some Stored XSS even though many XSS issues were reported in this CMS. They are in Full Name field of user under Security -> Manager Users tab and Security -> Web Users which allow authenticated attacker (who has user management role) to inject/store malicious script inside Full name field. The script will be executed once Manager Users or Web Users page is accessed.

Steps to reproduce stored XSS

  1. Go to Security -> Manager Users or Security -> Web Users tab
  2. Add new user or edit existing user
  3. In Full name field, input XSS payload and save
  4. Visit Security -> Manager Users or Web Uses, the payload will be executed

Impact:
after successful exploit, user's cookies can be stolen and CSRF validation (Referer header in this CMS) can also be bypassed. That also can lead to admin account take over.
Authenticated XSS might not be a serious issue but to let malicious script executed from admin's browser is not a good thing either.

Screenshots:
image

image
image

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant