XSS via No Results in Search Settings

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.

https://wbce-cms.org

GNU General Public License v2.0

32 stars 22 forks source link

XSS via No Results in Search Settings #523

Closed gozan10 closed 2 years ago

gozan10 commented 2 years ago

Hi team, i find small XSS in No Results field

Step:

First choose Settings and find Search Settings field then choose button Show Advanced Options

In the section No Results field write payload XSS.

After finish click button PC in Pages

then type search and press search button

Excute javascript code

instantflorian commented 2 years ago

If a malicious user has access to the general settings, he*she can do worse things and does not need JS workarounds. As I stated several times before, site administrators have to make sure that only trustworty personnel has access to areas like general settings, admintools etc.