Skip to content
This repository has been archived by the owner on Jul 22, 2020. It is now read-only.

HTML injection is found in CMS Clipper_1.3.3 version #496

Open
prasadlingamaiah opened this issue Aug 5, 2019 · 0 comments
Open

HTML injection is found in CMS Clipper_1.3.3 version #496

prasadlingamaiah opened this issue Aug 5, 2019 · 0 comments

Comments

@prasadlingamaiah
Copy link

prasadlingamaiah commented Aug 5, 2019

HTML injection found in the "User Groups" field in CMS Clipper_1.3.3 version.The module name value is obtained from the user,it is getting saved and displayed without any sanitation.
Affected URL:
http:///ClipperCMS-clipper_1.3.3/manager/

Steps to reproduce:
1.Under Security >> Manager Permissions -->> User Groups

  1. Create New user group using
    ">

    This is Prasad Lingamaiah

    !--

Smiley face

  1. Goto the user/Resource Group links and html script will execute
    **For your reference:
    2
    1

**

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant