Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
I have found Cross Site Scripting (XSS) bug in subrion CMS version 4.2.1 in the Create Page functionality of the admin Account.
Steps to Reproduce:
just login as admin and clink this url https://demos.subrion.org/?demo=core&admin=1
As an admin Create test page
In the Add a Page section go to the Page Content then clink “image” choose local file 123.svg to upload in url :https://demos.subrion.org/_core/admin/elfinder/?mode=image&CKEditor=contents%5Ben%5D&CKEditorFuncNum=1&langCode=en#elf_l1_Lw
the content of 123.svg:
copy the url of 123.svg then and a link to page content:

save the new page and open new page:http://localhost/123.html
Xss prompt box will pop up

Impact: Session cookies can be stolen , user can be redirected to phishing pages , browser of the user visiting this page can be controlled etc.
POC's have been uploaded.

The text was updated successfully, but these errors were encountered: