Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS: User Photo #14102

Closed
AgelxNash opened this issue Oct 2, 2018 · 1 comment
Closed

Stored XSS: User Photo #14102

AgelxNash opened this issue Oct 2, 2018 · 1 comment

Comments

@AgelxNash
Copy link
Contributor

Stored XSS: The application is vulnerable to stored XSS.

Step to reproduce

Under Manage -> Users sources choose Create New User and enter the Xss Payload " onerror="alert(1) in the User Photo field and click on save.
The application renders the entered script and displays a pop-up whenever the page is being visited by the user.
Observed behavior
The application processes the html tags or scripts and it is getting stored in the database.

Expected behavior
It should not accept any scripts or html tags.

Environment
MODX version:MODX Revolution 2.6.5-pl

@AgelxNash AgelxNash mentioned this issue Oct 2, 2018
alroniks pushed a commit that referenced this issue Feb 6, 2019
* upstream/pr/14335:
  XSS in the tree
  Fix #14105
  Fix #14104
  Fix #14103
  Fix #14102
  Enable remote avatars
@AgelxNash
Copy link
Contributor Author

CVE-2018-20755

opengeek added a commit that referenced this issue Feb 22, 2019
* origin/2.x: (104 commits)
  Change the RSS feed URLs to HTTPS
  MODX Revolution 2.7.1-pl
  Update lexicons from crowdin
  Change after review
  Update phpThumb 1.7.15-201902101903
  Restore html in resource tree (#14358) while preserving XSS protections in trees by default
  Handle deprecated $type and $responseCode parameters in $modx->sendRedirect and fix message
  Update lexicon entry
  Include not deleted children of deleted parents in the list
  Using cltr/cmd and click will open the url in a new tab/window again for ExtJS elements that use `loadPage()` to open URLs
  Forbid generating child resources for deleted resources
  Fix #14094
  XSS in the tree
  Fix #14105
  Fix #14104
  Fix #14103
  Fix #14102
  Enable remote avatars
  Fix regression in resourcelist that prevents parents from working correctly
  Improve wording in variables
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant