You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
In the view zone, an user can add/view/delete zones. While adding a zone, there exists no input filtration, allowing an attacker to inject unintended values. Later while displaying the zone names on the webpage,there exists no output filtration, leading to Self - Stored based XSS.
Describe Your Environment
Describe the bug
In the view
zone
, an user can add/view/delete zones. While adding a zone, there exists no input filtration, allowing an attacker to inject unintended values. Later while displaying the zone names on the webpage,there exists no output filtration, leading to Self - Stored based XSS.To Reproduce
Affected URL :
http://localhost/zm/index.php?view=zones&action=zoneImage&mid=1
Payload used -
"><img src=x onerror-prompt('1');>
Add a new zone
(pop-up appears)NAME
field & select any of option from theType
dropdown field & click on save.Expected behavior
Debug Logs
The text was updated successfully, but these errors were encountered: