Persistent XSS on 'Website's name' field (config[site_from_name]) #154
Description
Hey, guys, CMS's wonderful work! I found safety problems on the website in management settings:
A cross-site scripting (XSS) vulnerability stored in the "Site Name" field found in the "Contact" "Configuration" page of WistyCMS 0.6.2 allows remote attackers to inject arbitrary Web scripts or HTML through elaborate site names through HTTP requests authenticated with WITYCMS/Admin.
" onclick="alert(1)"
After saving the input JS code, the script is hidden in the tag attribute, and the script code is executed by clicking the input box.
Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
If the data is not sanitized upon input, these components are going to return arbitrary web script or HTML that can be rendered by the browser .
【ZKZX-SHOWTIME】