Add a user with name:"><script>alert(document.cookie)</script>。
xss payload was embeded in config/accounts.php:
/gui/accounts.php:add() function without verify the user input!
The text was updated successfully, but these errors were encountered:
Hi, thanks for reporting this. However an attacker must be authenticated to use that vulnerability which somehow defeats its purpose. Stealing session IDs in that scenario would giving him the same permissions he already has to actually use that vulnerability.
Still, you are right it shouldn't be possible and therefore it is fixed in the latest release. 🙂
Add a user with name:"><script>alert(document.cookie)</script>。




xss payload was embeded in config/accounts.php:
/gui/accounts.php:add() function without verify the user input!
The text was updated successfully, but these errors were encountered: