#2067 - Reflected Cross Site Scripting (XSS) Vulnerability
| Identifier | #2067 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | Reflected Cross Site Scripting (XSS) Vulnerability |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | forum_blocks |
| Description | A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The
application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user tries to modify the GET request parameter [FIELD_NAME] variable |
| Steps to reproduce | 1). Logon into Composr application (localhost or public host)
2). Modifying the variable [FIELD_NAME] in Composr CMS 9.0.20 (latest version) with intercept proxy in the URL
3). Fill the variable with 1234“><script>alert(1 );</script>1234 payload and send to the server
4). Now, the added XSS payload will get reflected in the browser. |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
We will give you credit. We appreciate the report.
However, please note you posted this as a public issue on a public bug tracker. I had to quickly close it to stop it leaking early.