Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Stored XSS in Index #57

Closed
ngochieu-kiminawa opened this issue Sep 6, 2021 · 2 comments
Closed

Stored XSS in Index #57

ngochieu-kiminawa opened this issue Sep 6, 2021 · 2 comments

Comments

@ngochieu-kiminawa
Copy link

Describe the bug
Cross Site Scripting (XSS) via save Exclude URLs

To Reproduce
Steps to reproduce the behavior:

  1. Login to flatcore CMS
  2. Click on 'Create new Page' after click 'Index'
  3. Insert into a XSS payload in Exclude URLs
  4. And XSS save on : http://domain/acp/acp.php?tn=pages&sub=index
    Screenshots
    image
    XSS payload
<script>alert(1)</script>

Desktop (please complete the following information):

  • OS: all
  • Browser : all
  • Version : all

Additional context
The XSS attack will help the hacker get the login session of other users requiring them to have at least one "Create new Pages" permission.

@ngochieu-kiminawa
Copy link
Author

ngochieu-kiminawa commented Sep 6, 2021

@patkon
Can you help me check issue this?
Looking forward to hearing from you.
Thank.

@patkon
Copy link
Member

patkon commented Sep 6, 2021

I'll fix that as soon as possible.

patkon added a commit that referenced this issue Sep 6, 2021
@patkon patkon closed this as completed Jan 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants