search

decaporg / decap-cms

A Git-based CMS for Static Site Generators
https://decapcms.org
MIT License
17.77k stars 3.03k forks source link

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) #6855

Closed bhaskar3112 closed 1 year ago

bhaskar3112 commented 1 year ago

Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Exploit Author: bhaskar

Vendor Homepage: https://decapcms.org/docs/intro/

Software Link: https://github.com/decaporg/decap-cms

Version: 2.10.192

Tested on: https://cms-demo.netlify.com

Description:

  1. Go to new post and write body field your payload:

https://cms-demo.netlify.com/#/collections/posts

Payload =

  1. After save it XSS payload will executed and see alert box
martinjagodic commented 1 year ago

@bhaskar3112 this is expected. XSS is not a concern in an authenticated environment like a CMS.