Summary
There is an accumulated XSS on the Tags page of the administrator screen.
Details
On the administrator screen, users who can add tags can execute arbitrary scripts on the browsers of users who access the tag page.
PoC
Add the following Payload by adding a tag. (admin.php?page=tags
)
- method:
pwg.tags.add
- Payload:
"/></script><script>alert(3)</script>
- Parameter:
name
Required Permissions
- Users who can access "Photos" on the administrator screen
Impact
Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions. Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.
Summary
There is an accumulated XSS on the Tags page of the administrator screen.
Details
On the administrator screen, users who can add tags can execute arbitrary scripts on the browsers of users who access the tag page.
PoC
Add the following Payload by adding a tag. (
admin.php?page=tags
)pwg.tags.add
"/></script><script>alert(3)</script>
name
Required Permissions
Impact
Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions. Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.