New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site Scripting (XSS) in bigtreecms 4.2.21 #328
Comments
|
Thanks, should be fixed in the next release! |
|
@timbuckingham Can you link to the fixing commit please? |
|
It's referenced above, but here it is again: |
|
@timbuckingham doh sorry! was digging around the branches looking for it and totally spaced it. thanks! |
|
Is there a CVE-ID for this XSS issues? |
|
There is no CVE assigned that I am aware of, you can request one here: https://iwantacve.org/ |
|
CVE-2018-1000521 has been assigned for this vulnerability. |
#The low-privileged(administrator) users can use this vulnerability to attack high-privileged(Developer) users.
For example,there are two users:

The low-privileged(administrator) users can add user and set the email-value to “
temp%40temp.com</section><script>alert(document.cookie)</script><section>”When the high-privileged(Developer) user view users,he will be xssed:

Thank you!
email: chybet4@gmail.com
The text was updated successfully, but these errors were encountered: