/Describe the bug/
I download install rukoviditel 2.7.2
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Entities" feature.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to '/rukovoditel_2.7.2/index.php?module=entities/entities'
3. Add new 'Entity'
4. Insert payload: "><img src=xx onerror=alert (1337) >
5. Save and BOOM!!!! Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page
/Screenshots/
insert payload module 'entities'
BOOM!!!
/Desktop (please complete the following information):/
OS: Windows
Browser: All
Version
The text was updated successfully, but these errors were encountered:
/Describe the bug/
I download install rukoviditel 2.7.2
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Entities" feature.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to '/rukovoditel_2.7.2/index.php?module=entities/entities'
3. Add new 'Entity'
4. Insert payload: "><img src=xx onerror=alert (1337) >
5. Save and BOOM!!!! Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page
/Screenshots/
/Desktop (please complete the following information):/
OS: Windows
Browser: All
Version
The text was updated successfully, but these errors were encountered: