search

totaljs / cms

Node.js Content Management System
http://www.totaljs.com/cms/
MIT License
223 stars 92 forks source link

Security Issue - Cross Site Scripting (Stored) #35

Closed P0cas closed 2 years ago

P0cas commented 2 years ago

Description

스크린샷 2022-02-27 15 06 08 
PoC : "><img src=x onerror=alert(1)>

Hello @petersirka! I report the security issue. When the administrator creates a page, the page is created by inserting XSS PoC as the name of the page, and the script is executed when going to the page list.

P0cas commented 2 years ago

Are you planning to release a new version for this bug?

petersirka commented 2 years ago

No, no, I'll fix only that bug and regenerate the bundle. So you will download only the fix (some specific files) or download the entire bundle.

I'll fix it today later.

petersirka commented 2 years ago

Fixed https://github.com/totaljs/cms/commit/95f54a552ef3941d1c77440f0f886f09ef40636e

P0cas commented 2 years ago

Awesome🔥Thanks for the fixed