You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a user with name:"><script>alert(document.cookie)</script>。
xss payload was embeded in config/accounts.php:
/gui/accounts.php:add() function without verify the user input!
The text was updated successfully, but these errors were encountered:
Hi, thanks for reporting this. However an attacker must be authenticated to use that vulnerability which somehow defeats its purpose. Stealing session IDs in that scenario would giving him the same permissions he already has to actually use that vulnerability.
Still, you are right it shouldn't be possible and therefore it is fixed in the latest release. 🙂
Add a user with name:"><script>alert(document.cookie)</script>。




xss payload was embeded in config/accounts.php:
/gui/accounts.php:add() function without verify the user input!
The text was updated successfully, but these errors were encountered: