A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack
login as admin .in the Assets page
upload the malicious svg. the content of xss-cookie.svg :
A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack
login as admin .in the Assets page

upload the malicious svg. the content of xss-cookie.svg :
back to Assets then wo can see xss-cookie.svg have been upload:

when user click the xss-cookie.svg it will trigger a XSS attack

The text was updated successfully, but these errors were encountered: