New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple Persistent Cross-Site Scripting Vulnerabilities #82
Comments
|
This issue has been assigned CVE-2018-7447. |
|
This is not an issue because these fields are only accessible by admins and this is a content management system. As a content management system, admins have to have the ability to add scripts to their pages. Further, the content wysiwyg editors also allow admins to add scripts to a page. While it would be silly to add them to the title or subtitle fields, it's not a vulnerability. You are effectively calling site admins attackers if you think this is a problem. Please close the CVE. |
|
@JosephMDavis since it's pretty inconceivable anyone would want script in blog title or subtitle, wouldn't it be prudent to prevent execution when these are rendered on page? That would address OP's concern without any impact on mojo functionality. Or am I missing something? |
|
Hi Crispin, I've already done so in my copy. I'll push to the repo soon. I just don't think it makes sense to call this a vulnerability and give the impression mojo has a security flaw like this. Thanks, |
|
@JosephMDavis agreed. And blog posts can never be created by anonymous users. But this seems like a safe and sensible change anyway. |
|
@CrispinF I would argue that it's not any safer or prudent, as you can still put scripts (and rightfully so) in the excerpt and and body of the post. I would agree, however, that it makes more sense to have these inputs output text only, as we can change the markup with the theme.skin. |
|
To clarify, @ElijahFowler I meant "sensible" as in it should help close this CVE. And I meant "safe" as in this change won't remove any useful functionality. |
Description: mojoportal is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of 'Blog' page are vulnerable.
Impact: Attacker can execute arbitrary code in the browser of a random user.
Affected version: all
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:P/I:P/A:P
Credit: Preethi Koroth (@p3core0ath)
Thanks.
The text was updated successfully, but these errors were encountered: