Set " <script>alert(document.domain)</script> as website name.
Fill other required fields with random values and save.
Then just visit the admin dashboard and the alert will fire.
Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.
In order to test this, just click logout and reload the page.
The text was updated successfully, but these errors were encountered:
Tested version: 8c2c8909 (latest)
Steps to reproduce the vulnerability:
" <script>alert(document.domain)</script>as website name.Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.
In order to test this, just click logout and reload the page.
The text was updated successfully, but these errors were encountered: