[Security] Stored XSS

[edoardottt]

Tested version: 8c2c8909 (latest)

Steps to reproduce the vulnerability:

• Login in the application.
• Set "</script><script>alert(document.domain)</script> as CDN (for jComponent Library) in settings.
• Fill other required fields with random values and save.
• Then just visit the admin dashboard and the alert will fire.

Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.

In order to test this, just click logout and reload the page.

[petersirka]

Hi @edoardottt, This is not a security issue. It's an administration area, and you must have enabled sa privileges for editing those settings. If you look into the widgets/pages/layouts you can easily inject scripts (and not only for client-side...).