flatCore / flatCore-CMS

flatCore is a Web Content Management System (CMS) based on PHP and MySQL/SQLite.
https://flatcore.org
GNU General Public License v3.0
50 stars 16 forks source link

XSS #67

Closed hieuminhnv closed 1 year ago

hieuminhnv commented 3 years ago

Describe the bug XSS in function Posts

To Reproduce Steps to reproduce the behavior:

  1. Login to CMS
  2. Click on 'Posts' >> 'New Entry' >> Image
  3. In Meta Data >> inject payload into Title Screenshots image

payload: "><img src="x" onerror=alert(String.fromCharCode(88,83,83));>

Desktop (please complete the following information):