New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS on login page #718
Comments
For for issue: spotweb#718
I'm afraid that it's still possible. I get the "Script is not allowed" alert, but after that it will simply execute my XSS. I'm using the following payload: My advice: |
Feel free to submit a PR |
To be honest, I would if I could. Yet I spend hours and hours developing my offensive security skillset and little time in my programming skills. Despite that I still felt it was my duty to report this issue. |
Describe the bug/issue
The parameter data[performredirect] on the login page is vulnerable to XSS attacks.
This issue was found in the latest Docker package by jgeusebroek (jgeusebroek/docker-spotweb) and seems to involve the latest Spotweb 1.5.1 as random Spotweb servers on the internet are also vulnerable.
To Reproduce
Steps to reproduce the behavior:
Go to this URL: http://[ip]:[port]/?data[performredirect]=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&page=login
Screenshots
The text was updated successfully, but these errors were encountered: