Stored Cross-site Scripting (XSS) in page name allowing a user to get arbitrary JS execution. This isn't really a big issue as the website already has all session tokens using HTTPOnly, and you need to be an administrator (if using as the default) to post. It is quite reasonable for organisations to make other roles for contributors/authors, hence being worth the patch. I'm not too sure if this is still an issue in v3, as I couldn't get the server set up for it yet.
System information
Croogo version: v2.3.1-17-g6f82e6c
Web server: apache2
OS/Version: Ubuntu 16.04
Steps to reproduce
Log into the website
Create a new page
Set the page's name to <img src=x onerror=alert(1)>
Visit the page list section of the admin panel and observe an alert box pop up.
Expected behavior
<img src=x onerror=alert(1)> is HTML Encoded
Actual behavior
JS code is arbitrarily executed
The text was updated successfully, but these errors were encountered:
Summary
Stored Cross-site Scripting (XSS) in page name allowing a user to get arbitrary JS execution. This isn't really a big issue as the website already has all session tokens using HTTPOnly, and you need to be an administrator (if using as the default) to post. It is quite reasonable for organisations to make other roles for contributors/authors, hence being worth the patch. I'm not too sure if this is still an issue in v3, as I couldn't get the server set up for it yet.
System information
Croogo version: v2.3.1-17-g6f82e6c
Web server: apache2
OS/Version: Ubuntu 16.04
Steps to reproduce
<img src=x onerror=alert(1)>Expected behavior
<img src=x onerror=alert(1)>is HTML EncodedActual behavior
JS code is arbitrarily executed
The text was updated successfully, but these errors were encountered: