The admin panel of the application is vulnerable to a stored Cross-Site Scripting (XSS) attack, which can be triggered using Cross-Site Request Forgery (CSRF). This vulnerability allows an attacker to inject malicious code into the application and execute it within the context of authenticated users accessing the affected page.
By including a crafted key1value in the HTTP POST request, an attacker can insert arbitrary JavaScript code into the application. The payload provided in the example request demonstrates an XSS attack by injecting a malicious image tag that executes a JavaScript alert function with the document.domain parameter:
Severity: High
The admin panel of the application is vulnerable to a stored Cross-Site Scripting (XSS) attack, which can be triggered using Cross-Site Request Forgery (CSRF). This vulnerability allows an attacker to inject malicious code into the application and execute it within the context of authenticated users accessing the affected page.
By including a crafted
key1
value in the HTTP POST request, an attacker can insert arbitrary JavaScript code into the application. The payload provided in the example request demonstrates an XSS attack by injecting a malicious image tag that executes a JavaScript alert function with the document.domain parameter:To remediate these vulnerabilities, see https://github.com/greenpau/caddy-security/issues/264, additionally implement CSRF protection mechanisms to mitigate the risk of CSRF attacks.