Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
A remote user who has the right to modify navigation management can inject arbitrary web script or HTML in admin/nav/add.html via the name parameter to cause xss attack.
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
A remote user who has the right to modify navigation management can inject arbitrary web script or HTML in admin/nav/add.html via the name parameter to cause xss attack.
PoC:
After that, when other administrator visits the background and it will cause XSS attack:
When front end users visit this column, it can also cause xss attack:
The text was updated successfully, but these errors were encountered: