There is Cross Site Scripting(xss) at the preferences Display Name

WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.

https://wbce-cms.org

GNU General Public License v2.0

31 stars 22 forks source link

There is Cross Site Scripting(xss) at the preferences Display Name #539

Closed aomanbuaoman closed 1 year ago

aomanbuaoman commented 1 year ago

After submission, display_name will be escaped in the escapestring function for special symbols When saving to database, it will add \ in front of " to " , but it does not affect the front-end recognition of " When output to the frontend, it is not filtered Enter payload on the submit page to submit payload: s" autofocus=autofocus onfocus=alert(1) " Successful writing of xss

instantflorian commented 1 year ago

Thank you for reporting the issue! Fixed with https://github.com/WBCE/WBCE_CMS/commit/07a0debe8103a554dd32c557d6d41eda02da1f5b