Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting Vulnerability on "Document Manager" feature in Evolution 2.0.2 #1473

Open
luuthehienhbit opened this issue Jun 1, 2020 · 3 comments

Comments

@luuthehienhbit
Copy link

Describe the bug
An authenticated malicious user can take advantage of a Reflected XSS vulnerability in the "Document Manager" feature.
To Reproduce
Steps to reproduce the behavior:
1. Log into the /manager
2. Go to "Doc Manager" on Modules
image
3. Insert payload:
'><details/open/ontoggle=confirm(1337)>
image
4. Click "Submit"
image
Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
Versions
Evolution CMS 2.0.2

@Dmi3yy
Copy link

Dmi3yy commented Jun 1, 2020

if you have access to manager panel you have full access and any XSS haven't sense, because you can do what you need without XSS )

@luuthehienhbit
Copy link
Author

Hello @Dmi3yy,
I think, admin is only allowed to use js / html in certain areas like edit plugin / module, theme / template, .... In other parts, if the admin is still allowed to use it arbitrarily, it will cause a risk, attack..etc, because a website will probably have 1 or more admin. An attacker with admin rights can take full advantage and lure victim with malicious intent through XSS :))

@Dmi3yy
Copy link

Dmi3yy commented Jun 1, 2020

If you have any right in manager you can write in content any snippet. And get any results what you want. So XSS in manager panel haven't sense.

With many main snippet you can get info from DB or change some in DB. so you no need use XSS, becouse easy use snippet for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants