Skip to content

There is a stored XSS vulnerability that can triage JavaScript code #435

Open
@magicming200

Description

@magicming200

Hi, I have found a stored XSS vulnerability. Not same with issue #427 . The trigger is in page's content section, not title section.

Steps to replicate:

  1. log into the system as an editor role
  2. creat a new page in the blog catalog
  3. navigate to content section
  4. enter payload as shown in below section
    <script>alert(document.cookie)</script>
  5. visit http://<your_site>/monstra/blog/<page_name>.php
  6. you will triage JavaScript execution

Impacts:
Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, and guest.

Affected Version:
3.0.4

Affected URL:
http://<your_site>/monstra/blog/<page_name>.php

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions