Closed
Description
Whenever a new user registers a new account on October CMS , he has an option to upload his profile picture. On uploading , he can give a caption for his image. This tab executes JavaScript. When administrator opens this user's account , the script executes ( If any script is input ) . Any user with limited privileges can inject a malicious JavaScript and even access administrator credentials via cookies. There is enough chance for an attacker to grab the credentials from any user , practically , without even the users being aware of it.
POC :
<svg onload=alert(document.cookie)>
Input this script inside the caption tab of the image and the cookie contents pop up
Metadata
Assignees
Labels
No labels