Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Found Xss Stored vuln in Administration page #271

Open
GrayR0ot opened this issue Jan 13, 2021 · 6 comments
Open

[BUG] Found Xss Stored vuln in Administration page #271

GrayR0ot opened this issue Jan 13, 2021 · 6 comments
Labels
bug Something isn't working

Comments

@GrayR0ot
Copy link

Describe the bug | Décrivez le bug

Edit members from admin panel allow us using Xss Stored vulnerability

To Reproduce | Pour reproduire le bug

Steps to reproduce the behavior: | Étapes pour reproduire le bug :

  1. Go to Membres -> Edit any

  2. Set the user name to <script>alert("XSS");</script>

  3. Then save

It allow us using Stored Xss vulnerability. Which would allow us stoling visitors cookies and more other fun facts

@GrayR0ot GrayR0ot added the bug Something isn't working label Jan 13, 2021
@nivcoo
Copy link
Member

nivcoo commented Jan 13, 2021

Indeed no page of the admin panel is protected against XSS, it should be but we felt that if you have access to the admin panel you are someone you can trust

@nivcoo
Copy link
Member

nivcoo commented Jan 13, 2021

For the cookies, if you have access to the file you can also do anything with cookies and customer information

@GrayR0ot
Copy link
Author

I just successfully hijacked a customer Dashboard but if you think it's normal letting this kind of vulnerability this is your choice.

@nivcoo
Copy link
Member

nivcoo commented Jan 13, 2021

It's not really a choice, but yes it would be nice to take 2-3 hours to make the necessary changes

@nivcoo
Copy link
Member

nivcoo commented Aug 28, 2021

We will add protection for the XSS on panel admin in no time :p

@StanByes
Copy link
Contributor

It's good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

No branches or pull requests

3 participants