Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Bug]Stored cross-site script attacks(xss) #122

Open
qmss opened this issue Dec 22, 2021 · 0 comments
Open

[Security Bug]Stored cross-site script attacks(xss) #122

qmss opened this issue Dec 22, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@qmss
Copy link

qmss commented Dec 22, 2021

Describe the bug
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site script attacks.

To Reproduce
Steps to reproduce the behavior:
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site scripting attacks.
Administrator login "system" add new "field> fill in cross-site scripting in the NOTE field (example:'"><svg/onload=alert(document.domain)>)
It will take effect after saving.

Expected behavior
You can insert js scripts to attack.

Screenshots
3
4

Desktop :

  • OS: [MacBook M1]
  • Browser [Chrome]
  • Version [96.0.4664.110]
@qmss qmss added the bug Something isn't working label Dec 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant