Closed gozan10 closed 1 year ago
If a malicious user has access to the general settings, he*she can do worse things and does not need JS workarounds. As I stated several times before, site administrators have to make sure that only trustworty personnel has access to areas like general settings, admintools etc.
Hi team, i find small XSS in No Results field
Step:
First choose Settings and find Search Settings field then choose button Show Advanced Options![image](https://user-images.githubusercontent.com/70020521/199875438-691c379a-3753-4374-82e0-8137ddfae201.png)
In the section No Results field write payload XSS.![image](https://user-images.githubusercontent.com/70020521/199875602-6cd363d1-fb6f-4f58-a781-fd3a12d8ca33.png)
After finish click button PC in Pages![image](https://user-images.githubusercontent.com/70020521/199875727-843a15ef-2c69-4cf7-b03f-3ec823d63a34.png)
then type search and press search button![image](https://user-images.githubusercontent.com/70020521/199875812-cc963dbd-30c0-4d6f-921d-c561ec2d421e.png)
Excute javascript code![image](https://user-images.githubusercontent.com/70020521/199875857-1fdf5296-8006-4991-ae88-fc2731a5e5f6.png)