Two persistent XSS were found.

Wonderful works of CMS! I found safety problems on the website in management settings:

Cross-site scripting (XSS) vulnerabilities stored in the Site Name field found on the "Configuration" page under the "Carousel" menu of WistyCMS 0.6.2 allow remote attacks.

payload:
    " onclick="alert(1)"
Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
The input label property becomes the property of the input box, and the JS code under the "onclick" property is executed when the input box is clicked.
![default](https://user-images.githubusercontent.com/33438164/44376832-cb22ce00-a52c-11e8-9451-75028d327342.png)
Enter the code in the two input box.
![default](https://user-images.githubusercontent.com/33438164/44376866-f0174100-a52c-11e8-8699-9b35776795b8.png)
Click on the "Envoyer" button to submit and find that the input code has successfully become the attribute of the label.
![default](https://user-images.githubusercontent.com/33438164/44377300-c19a6580-a52e-11e8-81d6-093c467e1d06.png)
![default](https://user-images.githubusercontent.com/33438164/44377306-c828dd00-a52e-11e8-9c54-f25bea9d2082.png)

See that the two code is successfully executed.
![default](https://user-images.githubusercontent.com/33438164/44377275-9748a800-a52e-11e8-8f92-30983d82673e.png)
apps\slideshow\admin\main.php


——中科卓信软件测评技术中心






Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Two persistent XSS were found. #155

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Two persistent XSS were found. #155

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions