First login the panel with user credential, Go to member tag from left menu.
http://localhost/panel/members/
Username, Full Name, Email are editable with double click on it. Insert the following payload
<img src=x onerror=alert(document.cookie)>
Xss alert are trigger.
Poc
Note. Script tag are filter in the input field. it is work at username <img src="//www.gravatar.com/avatar/1667c96fb90d94769e72069d6cad71b6?s=100&d=mm&r=g" alt="<script>alert(1);</script>">
Poc 2
Please fix and filter all input tag.
Thank you.
The text was updated successfully, but these errors were encountered:
Can you explain what benefit it would be, if you already have admin access? Frontend input is properly sanitized, so why would admin need to use that line for user? I don't quite understand the idea.
Test it on version 4.2.1.
First login the panel with user credential, Go to member tag from left menu.
http://localhost/panel/members/Username, Full Name, Email are editable with double click on it. Insert the following payload
<img src=x onerror=alert(document.cookie)>Xss alert are trigger.
Poc

Note. Script tag are filter in the input field. it is work at username
<img src="//www.gravatar.com/avatar/1667c96fb90d94769e72069d6cad71b6?s=100&d=mm&r=g" alt="<script>alert(1);</script>">Poc 2

Please fix and filter all input tag.
Thank you.
The text was updated successfully, but these errors were encountered: