It is worth noting that the value of $args here is introduced from the HTTP request. And the value is an array.
Then the $args is processed by foreach. The program uses the htmlspecialchars function to process $arg_value, but does not handle $arg_name.So an attacker can insert an attack payload at $arg_name to cause XSS.
details
in redaxo/src/addons/mediapool/pages/index.php:13
It is worth noting that the value of $args here is introduced from the HTTP request. And the value is an array.
Then the $args is processed by foreach. The program uses the htmlspecialchars function to process $arg_value, but does not handle $arg_name.So an attacker can insert an attack payload at $arg_name to cause XSS.
POC
The user directly accesses the URL if the user has logged in.
http://localhost/redaxo/index.php?page=mediapool/media&opener_input_field=&args[%22%3E%3Cscript%3Ealert(1)%3C/script%3E//]=12
XSS will be triggered as shown:

Credit: ADLab of VenusTech
The text was updated successfully, but these errors were encountered: