Closed splint3rsec closed 3 years ago
Hi,
Thanks for this full report. I will fix that.
Regards
This is fixed. V1.7.1
Regards
Hi @boiteasite ! Thank you for the patch, is it possible to request a CVE ID?
CVE-2021-36654 has been assigned for this issue. You can request CVEs via https://cveform.mitre.org/.
Thank you Henri, I did not know this site.
Thank you @fgeek @boiteasite :) Have a nice day :)
Hi :)
cmsuno version 1.7 is vulnerable to a stored cross site scripting. An authenticated attacker can inject a payload while updating the template's image filename after intercepting the request using Burpsuite via the tgo parameter. After successful update of the template, the xss is poped up in the website page.
Steps to reproduce
Thanks