Open
Description
/Describe the bug/
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Edit Menu" feature.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to '/Mara/codebase/menuedit.php'
3. Insert Payload:
"><script>alert(document.domain)</script>Hello world!
4. Click Test: Alert XSS Message
5. Save and go to Admin Panel
6. Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page
/Screenshots/
- go to '/Mara/codebase/menuedit.php'
- Insert Payload
- Click Test: Alert XSS Message
- Save and go to Admin Panel
- Alert XSS Message
/Desktop (please complete the following information):/
OS: Windows
Browser: All
I Hope you fix it ASAP
Metadata
Metadata
Assignees
Labels
No labels