Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Stored XSS in Index #57

Closed
Closed
@ngochieu-kiminawa

Description

Describe the bug
Cross Site Scripting (XSS) via save Exclude URLs

To Reproduce
Steps to reproduce the behavior:

  1. Login to flatcore CMS
  2. Click on 'Create new Page' after click 'Index'
  3. Insert into a XSS payload in Exclude URLs
  4. And XSS save on : http://domain/acp/acp.php?tn=pages&sub=index
    Screenshots
    image
    XSS payload
<script>alert(1)</script>

Desktop (please complete the following information):

  • OS: all
  • Browser : all
  • Version : all

Additional context
The XSS attack will help the hacker get the login session of other users requiring them to have at least one "Create new Pages" permission.

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions