Search found 6 matches
- 09 Apr 2024, 23:32
- Forum: Bug Report version 3.5.4
- Topic: Stored Cross-Site Scripting (XSS) in users_alerts
- Replies: 3
- Views: 180
Re: Stored Cross-Site Scripting (XSS) in users_alerts
I’ll answer here the same way as in the other post. https://forum.rukovoditel.net/viewtopic.php?p=20132 I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions. I don’t think that your users wi...
- 09 Apr 2024, 23:28
- Forum: Bug Report version 3.5.4
- Topic: Stored Cross-Site Scripting (XSS) in configuration/custom_html
- Replies: 3
- Views: 161
Re: Stored Cross-Site Scripting (XSS) in configuration/custom_html
I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions. I don’t think that your users will be happy if they are redirected to a malicious site after logging in. "/><script>location.replac...
- 09 Apr 2024, 02:35
- Forum: Bug Report version 3.5.4
- Topic: Stored Cross-Site Scripting (XSS) in configuration/custom_html
- Replies: 3
- Views: 161
Stored Cross-Site Scripting (XSS) in configuration/custom_html
Hey! I found an xss vulnerability in the configuration/custom_html module. In the functionality of adding custom HTML code at the CFG[CUSTOM_HTML_HEAD] and CFG[CUSTOM_HTML_BODY] parameters. Payload: <script>alert('text'%2bdocument.cookie)</script> Request: POST /index.php?module=configuration/save&a...
- 09 Apr 2024, 02:03
- Forum: Bug Report version 3.5.4
- Topic: Stored Cross-Site Scripting (XSS) in users_alerts
- Replies: 3
- Views: 180
Stored Cross-Site Scripting (XSS) in users_alerts
Hey! I found an xss vulnerability in the users_alerts module. In the title parameter when creating an alert for all users, you can insert a payload. Payload: "/><script>alert(document.cookie)</script> . Request: POST /index.php?module=users_alerts/users_alerts&action=save&id=1&token...
- 09 Apr 2024, 00:18
- Forum: Bug Report version 3.5.4
- Topic: stored XSS (Cross-site scripting) vulnerability
- Replies: 3
- Views: 1913
Re: stored XSS (Cross-site scripting) vulnerability
Awesome! Can I register a CVE with this vulnerability? After you will fixing it.
- 08 Apr 2024, 14:58
- Forum: Bug Report version 3.5.4
- Topic: stored XSS (Cross-site scripting) vulnerability
- Replies: 3
- Views: 1913
stored XSS (Cross-site scripting) vulnerability
Hey! I found an xss vulnerability in the latest version of your application. The vulnerability is in the user_photo parameter and can be inserted in several places. Payload: "><img src=a onerror=alert(document.cookie)> 1. Editing the personal page "My Page" POST /index.php?module=user...