search

gleez / cms

GleezCMS - A Light, Simple, Flexible Content Management System
www.gleezcms.org
207 stars 83 forks source link

XSS Vulnerability caused by Redactor 3 #796

Open shellsniper opened 6 years ago

shellsniper commented 6 years ago

The stored XSS can be triggered once you editing content by using Redactor 3 (https://imperavi.com/redactor/) plugin. it can be found in both PAGE and BLOG modules.

image

To developer: Please avoid use Redactor right now before they fix this issue.

Reference: https://github.com/gleez/cms/issues/794 https://imperavi.com/redactor/

anupriya17 commented 6 years ago

Hi,

Thank you the detailed explanation.

Can you make a pull request? So that i can merge it. If not ill be doing as early as possible.

Once again thanks for bringing to our notice.

On 05-Jul-2018, at 2:40 PM, Chenfeng Nie notifications@github.com wrote:

The stored XSS can be triggered once you editing content by using Redactor 3 (https://imperavi.com/redactor/) plugin. it can be found in both PAGE and BLOG modules.

To developer: Please avoid use Redactor right now before they fix this issue.

Reference:

794

https://imperavi.com/redactor/

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

sandeepone commented 6 years ago

@anupriya17 I'll be looking into it right now.

sandeepone commented 6 years ago

@levoncf @anupriya17 I've disabled Redactor immediately. Will investigate into further. Feel free to share your opinions