New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-site Scripting (XSS) #209

Open
ProDigySML opened this Issue Oct 30, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@ProDigySML

ProDigySML commented Oct 30, 2017

Issue

Stored XSS found within the blog creation page. This allows attackers to get arbitrary execution of javascript code.

Steps to reproduce

  1. Log into a user's account with blog writing permissions (like role user in the demo website)
  2. Go to the blogs page
  3. Create a blog page, with the contents of the page as follows:
    <img src=x onerror=alert(1)>
    Please ensure this payload is entered using the source code view of the blog editor

@Renfos Renfos added the bug label Dec 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment