Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

XSS in page description #56

Closed
dongvv-2538 opened this issue Aug 30, 2021 · 1 comment
Closed

XSS in page description #56

dongvv-2538 opened this issue Aug 30, 2021 · 1 comment

Comments

@dongvv-2538
Copy link

Describe the bug
An user with page creation/edition can create an XSS payload in description field to trigger XSS when view all page from admin panel
To Reproduce
Steps to reproduce the behavior:

  1. Click on 'Create New Page'
  2. Go to 'Meta Tags' tab
  3. In the 'description' section, insert arbitrary XSS payload
  4. Go to 'See all page'
  5. See error

Expected behavior
The XSS payload will be triggered for anyone who view this page description (esspecially admin account).

Screenshots
image

Desktop (please complete the following information):

  • OS: tested on kali linux
  • Browser: tested on firefox
  • Version: 2.0.7

video PoC
https://youtu.be/XkjPdJvnMQ0

Additional context
This bug can be exploited by anyone has edit/create page privileges

@patkon
Copy link
Member

patkon commented Aug 30, 2021

Thank you for reporting. I will fix that as soon as possible.

@patkon patkon closed this as completed in a6a67cf Sep 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants