Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found Stored XSS in Opencms 11.0.0.0 #652

Closed
v4runsharma0121 opened this issue May 7, 2019 · 0 comments
Closed

Found Stored XSS in Opencms 11.0.0.0 #652

v4runsharma0121 opened this issue May 7, 2019 · 0 comments

Comments

@v4runsharma0121
Copy link

v4runsharma0121 commented May 7, 2019
edited
Loading

Hello Team,

I would like to report a vulnerability (cross-site-scripting) which I have observed in current version v11.0.0.0 and before.

Cross-Site Scripting (XSS) allows attacker to inject the malicious JavaScript as user input and then malicious script can access any cookies, session tokens, or other sensitive information associated with impacted applications.

Please refer https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) for more details.

Steps:

  1. Log into the application as a low privileged user (Editor Role).
    image

  2. Select any folder to upload file.
    image

  3. Upload any file.
    image

  4. Put the XSS payload in Title of the file
    image

  5. Now, log in as any user(including admin), and payload gets executed in folder view when file title gets loaded.
    image

Regards,
[email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gWestenberger @v4runsharma0121