Skip to content
This repository has been archived by the owner. It is now read-only.

Stored Cross Site Scriping #185

Closed
hp-yang opened this issue May 5, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@hp-yang
Copy link

commented May 5, 2017

file:modules/Base/Lang/Administrator/update_translation.php
code:
Base_LangCommon::append_custom($lang, array($original => $new)); Base_Lang_AdministratorCommon::send_translation($lang, $original, $new);
poc: login->menu->administrator->language&translations->PHP environment check(all item)->
<img src="x" onerror="alert(1)">
->confirm
1

@NorbertNader

This comment has been minimized.

Copy link
Contributor

commented May 5, 2017

Thank you very much hp-yang! I can not believe we had this vulnerability for so long... We really appreciate your contributions.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.