Describe the bug
In the view zone, an user can add/view/delete zones. While adding a zone, there exists no input filtration, allowing an attacker to inject unintended values. Later while displaying the zone names on the webpage,there exists no output filtration, leading to Self - Stored based XSS.
Describe Your Environment
Describe the bug
In the view
zone, an user can add/view/delete zones. While adding a zone, there exists no input filtration, allowing an attacker to inject unintended values. Later while displaying the zone names on the webpage,there exists no output filtration, leading to Self - Stored based XSS.To Reproduce
Affected URL :
http://localhost/zm/index.php?view=zones&action=zoneImage&mid=1
Payload used -
"><img src=x onerror-prompt('1');>Add a new zone(pop-up appears)NAMEfield & select any of option from theTypedropdown field & click on save.Expected behavior
Debug Logs
The text was updated successfully, but these errors were encountered: