-
-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flash based XSS #12161
Labels
Comments
this seems pretty serious and now a few years old, is it still an issue? cc @opengeek |
What is |
@opengeek I have no idea, maybe this http://mailru.github.io/FileAPI/ https://github.com/mailru/FileAPI/blob/master/dist/FileAPI.flash.image.swf |
Can we please fix this before 2.5.0-pl? |
Want me to retest this when I get a second? |
Yes, please, it worked here, hopefully it will for you as well |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Hi guys,
Wasn't sure where to report this, the main site didn't have a clear email/section for reporting security vulnerabilities that I could find.
So after testing MODX for some basic vulnerabilities, I came across the FileAPI.flash.image.swf file had a parameter called scale & callback.
The callback parameter is vulnerable to XSS, if you close off the try/catch block, then you can execute an alert:
//MODX/manager/assets/fileapi/FileAPI.flash.image.swf?scale=onw1b&callback=%29}catch%28e%29{};alert%281%29;//
I hope this can be of use to you guys.
Thanks.
The text was updated successfully, but these errors were encountered: