Remo
commented
3 years ago Thanks for reporting this, I appreciated the detailed report with the links to the exact line in the code. I haven't tested it yet, but this might fix those unsanitized variables https://github.com/concrete5/concrete5-legacy/pull/2007
270006206
Although this app is a legacy version, we found multiple XSS bugs so reporting them.
Describe the bug Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
To Reproduce Steps to reproduce the behavior:
Screenshots
Where the Issue Occurred The code below displays the user-controlled parameter
rel,ctID, andmodein concrete/elements/collection_add.php,relin concrete/elements/collection_theme.php, andcIDin toos/permissions/dialogs/access/entity/types/group_combination.php without sufficient sanitization: https://github.com/concrete5/concrete5-legacy/blob/b5d89b7441ecd277f4516b84289de4e9324be47f/web/concrete/elements/collection_add.php#L15 https://github.com/concrete5/concrete5-legacy/blob/b5d89b7441ecd277f4516b84289de4e9324be47f/web/concrete/elements/collection_add.php#L16 https://github.com/concrete5/concrete5-legacy/blob/b5d89b7441ecd277f4516b84289de4e9324be47f/web/concrete/elements/collection_add.php#L17 https://github.com/concrete5/concrete5-legacy/blob/b5d89b7441ecd277f4516b84289de4e9324be47f/web/concrete/elements/collection_theme.php#L46 https://github.com/concrete5/concrete5-legacy/blob/b5d89b7441ecd277f4516b84289de4e9324be47f/web/concrete/tools/permissions/dialogs/access/entity/types/group_combination.php#L34