New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in "Real Name" field - My Account #164
Comments
|
Please submit a pull request to fix this. |
|
Someone requested CVE identifier for this vulnerability and it got assigned CVE-2019-7172. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7172 |
As a maintainer of this project are you planning to fix this and release new version? I don't think waiting for PRs is correct way to handle security issues (maybe only if this is mentioned clearly in some documentation). Of course that is only my personal opinion, but I can't recommend people to use ATutor if this is the case. |
|
ATutor is no longer maintained. |
Description -
There's no escape being done before printing out the value of
Real Namein the My Account page.ATutor version - v2.2.4
Steps to reproduce -
Navigate to http://localhost/atutor/mods/_core/users/admins/my_edit.php & add the below-shared payload as the value to the Real Name field.
Payload -
admin<img src=xss onerror=alert(1)>Visit page http://localhost/atutor/mods/_core/users/admins/index.php, the payload will be triggered.
The text was updated successfully, but these errors were encountered: