Open luuthehienhbit opened 4 years ago
if you have access to manager panel you have full access and any XSS haven't sense, because you can do what you need without XSS )
Hello @Dmi3yy, I think, admin is only allowed to use js / html in certain areas like edit plugin / module, theme / template, .... In other parts, if the admin is still allowed to use it arbitrarily, it will cause a risk, attack..etc, because a website will probably have 1 or more admin. An attacker with admin rights can take full advantage and lure victim with malicious intent through XSS :))
If you have any right in manager you can write in content any snippet. And get any results what you want. So XSS in manager panel haven't sense.
With many main snippet you can get info from DB or change some in DB. so you no need use XSS, becouse easy use snippet for that
Describe the bug An authenticated malicious user can take advantage of a Reflected XSS vulnerability in the "Document Manager" feature. To Reproduce Steps to reproduce the behavior: