Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Script Vulnerability on "Tools" feature in NavigateCMS 2.9 #16

Closed
luuthehienhbit opened this issue Jun 18, 2020 · 2 comments
Closed

Comments

@luuthehienhbit
Copy link

Expected behaviour
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Tools" feature.
Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
Steps to reproduce

  1. Log into the Admin.
  2. Go to function "Tools"
  3. Click Web users
    image
  4. Perform "Create" or "Edit"
    image
  5. Add payload in name via Personal: '><details/open/ontoggle=confirm(document.cookie)>
  6. Load web:
    image
    NavigateCMS 2.9
@NavigateCMS
Copy link
Owner

Fixed by 68e1870

@r0ck3t1973
Copy link

Hi Team Security @NavigateCMS

You can a CVE ID assigne!

Thanks you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants