Closed ghi5107 closed 7 years ago
Do anyone confirm the issue?? I think xss vulnerabiltiy is harmful to administrator, attacker may steal information by enticing a administator to open a crafted web page.
I'll fix that as soon as possible. I'm working on it. Thanks for reporting.
thanks for your response
CVE-2017-9451 has been assigned for this vulnerability. You can add it to commit message and ChangeLog file, thanks.
Verified, no longer work, thank you.
Title: XSS Vulnerability in acp.php Security: Low (visit acp.php as a administrator) Software: https://codeload.github.com/flatCore/flatCore-CMS/zip/v1.4.6 code: pages.edit_form.php:
Reproduce: (get client cookie information) http://localhost/fc/acp/acp.php/p3q7o'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eoqch8?tn=pages&sub=edit&editpage=2
reference about XSS: https://www.owasp.org/index.php/Cross-siteScripting(XSS)
Discovered by: ghi from Huawei Weiran Labs