Describe the bug
The view log, insecurely prints the Log Message value on the webpage without applying any proper filtration, leading to XSS.
Example - Attacker can entice the victim visit an non-existing view (using XSS payload instead of a valid view), the non-existing view will be reflected back in the logs, thereby triggering the XSS
payload.
Describe Your Environment
Describe the bug
The view
log, insecurely prints theLog Messagevalue on the webpage without applying any proper filtration, leading to XSS.Example - Attacker can entice the victim visit an non-existing view (using XSS payload instead of a valid view), the non-existing view will be reflected back in the logs, thereby triggering the XSS
payload.
To Reproduce
Affected URL :
http://localhost/zm/index.php?view=logs
Payload used -
"><img src=x onerror=prompt('1');>Expected behavior
Debug Logs
The text was updated successfully, but these errors were encountered: