Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nc-cms Cross Site Scripting #9

Closed
Marblue opened this issue Oct 14, 2018 · 2 comments
Closed

nc-cms Cross Site Scripting #9

Marblue opened this issue Oct 14, 2018 · 2 comments

Comments

@Marblue
Copy link

Marblue commented Oct 14, 2018

Hello, I found that this cms may have some security problem
you can edit your html on http://localhost/nc-cms/nc-cms/index.php?action=edit_html&name=home_content
and you can Input any evil js you want
2018-10-15 3 14 00
2018-10-15 3 14 24
2018-10-15 3 14 51
@gnat
Copy link
Owner

gnat commented Oct 15, 2018

@Marblue Are students simply being told to go around to projects including TinyMCE and open issues like these?

It's by design, my friend. Think about the security context here: The user would already need administrator privileges to access this form. If they want to add some javascript, they should be able to.

@gnat
Copy link
Owner

gnat commented Jan 22, 2019

Closing, won't fix for reasons above.

@gnat gnat closed this as completed Jan 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnat @Marblue