Any user can execute JavaScript code on an administrator user's account by simply changing their name into an XSS payload. This can be used to create a denial of service condition, or make the administrator perform unauthorised actions.
Steps to reproduce
Create a user with the lowest privileges
Navigate to the 'My Account' section of the application
Change the user's real name to a JavaScript payload, like asdf<img src=x onerror=alert(1)>
Log out of the account.
Log into an administrator account
Navigate to the user list in the administrator's console
Observe an alert box appear
The text was updated successfully, but these errors were encountered:
Issue
Any user can execute JavaScript code on an administrator user's account by simply changing their name into an XSS payload. This can be used to create a denial of service condition, or make the administrator perform unauthorised actions.
Steps to reproduce
asdf<img src=x onerror=alert(1)>The text was updated successfully, but these errors were encountered: