This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
Stored XSS in Index #57
Closed
Description
Describe the bug
Cross Site Scripting (XSS) via save Exclude URLs
To Reproduce
Steps to reproduce the behavior:
- Login to flatcore CMS
- Click on 'Create new Page' after click 'Index'
- Insert into a XSS payload in Exclude URLs
- And XSS save on : http://domain/acp/acp.php?tn=pages&sub=index
Screenshots

XSS payload
Desktop (please complete the following information):
- OS: all
- Browser : all
- Version : all
Additional context
The XSS attack will help the hacker get the login session of other users requiring them to have at least one "Create new Pages" permission.
Metadata
Assignees
Labels
No labels