Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nc-cms Cross Site Scripting #10

Closed
0xMJ opened this issue Oct 15, 2018 · 2 comments
Closed

nc-cms Cross Site Scripting #10

0xMJ opened this issue Oct 15, 2018 · 2 comments

Comments

@0xMJ
Copy link

0xMJ commented Oct 15, 2018

Hello, I found that this cms may have some security problem
you can edit your html on http://localhost/nc-cms/nc-cms/index.php?action=edit_html&name=home_content
and you can Input any evil js you want
http://localhost/nc-cms/index.php?action=edit_html&name=home_contenta2ktk%3cimg%20src%3da%20onerror%3dalert(1)%3ejil8q
image

@gnat
Copy link
Owner

gnat commented Oct 15, 2018

@0xMJ Although very unlikely, this one is more plausible than your friend @Marblue's issue as it would require the attacker to phish the site administrator. No regular users would be able to access this page.

Unlikely, but plausible, so congratulations. I'll go ahead and do a low priority release for this one.

@gnat
Copy link
Owner

gnat commented Jan 22, 2019

Resolved as a low priority fix in version 3.4

@gnat gnat closed this as completed Jan 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants