New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS: User Photo #14102
Comments
opengeek
added a commit
that referenced
this issue
Feb 22, 2019
* origin/2.x: (104 commits) Change the RSS feed URLs to HTTPS MODX Revolution 2.7.1-pl Update lexicons from crowdin Change after review Update phpThumb 1.7.15-201902101903 Restore html in resource tree (#14358) while preserving XSS protections in trees by default Handle deprecated $type and $responseCode parameters in $modx->sendRedirect and fix message Update lexicon entry Include not deleted children of deleted parents in the list Using cltr/cmd and click will open the url in a new tab/window again for ExtJS elements that use `loadPage()` to open URLs Forbid generating child resources for deleted resources Fix #14094 XSS in the tree Fix #14105 Fix #14104 Fix #14103 Fix #14102 Enable remote avatars Fix regression in resourcelist that prevents parents from working correctly Improve wording in variables ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Stored XSS: The application is vulnerable to stored XSS.
Step to reproduce
Under Manage -> Users sources choose Create New User and enter the Xss Payload
" onerror="alert(1)in the User Photo field and click on save.The application renders the entered script and displays a pop-up whenever the page is being visited by the user.
Observed behavior
The application processes the html tags or scripts and it is getting stored in the database.
Expected behavior
It should not accept any scripts or html tags.
Environment
MODX version:MODX Revolution 2.6.5-pl
The text was updated successfully, but these errors were encountered: