Stored XSS in profile page #797
Comments
|
Thank you for pointing out. We’re looking into an xss library to be used to clean the data
Very soon we will update.
… On 18-Jul-2018, at 4:35 PM, DrStacheWH ***@***.***> wrote:
Description:
Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile.
Vulnerability Type: Stored XSS
Attack Vectors:
Go to your profile page editor https://demo.gleezcms.org/user/edit
Set your home page URL to : http://x.x/<svg onload=alert(document.cookie)>
Now when someone will check your profile page, alert(document.cookie) will be executed.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
ghost
changed the title
|
Has there been an update regarding this vulnerability? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile.
Vulnerability Type: Stored XSS
Attack Vectors:
http://x.x/<svg onload=alert(document.cookie)>Now when someone will check your profile page,
alert(document.cookie)will be executed.The text was updated successfully, but these errors were encountered: