Describe the bug
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site script attacks.
To Reproduce
Steps to reproduce the behavior:
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site scripting attacks.
Administrator login "system" add new "field> fill in cross-site scripting in the NOTE field (example:'"><svg/onload=alert(document.domain)>)
It will take effect after saving.
Expected behavior
You can insert js scripts to attack.
Screenshots
Desktop :
OS: [MacBook M1]
Browser [Chrome]
Version [96.0.4664.110]
The text was updated successfully, but these errors were encountered:
Describe the bug
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site script attacks.
To Reproduce
Steps to reproduce the behavior:
Storage type xss exists in Custom Field Editor in /admin/modules/system/custom_field.php file. There is no effective defense against the NOTE field, leading to cross-site scripting attacks.
Administrator login "system" add new "field> fill in cross-site scripting in the NOTE field
(example:'"><svg/onload=alert(document.domain)>)It will take effect after saving.
Expected behavior
You can insert js scripts to attack.
Screenshots


Desktop :
The text was updated successfully, but these errors were encountered: