Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Frog CMS 0.9.5 has XSS via the /admin/?/user/add Name or Username parameter
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Frog CMS team
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Frog CMS - 0.9.5
>
> ------------------------------------------
>
> [Affected Component]
> Frog CMS
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Stored XSS
>
> ------------------------------------------
> Steps to reproduce:
1. Click to Add new user.
2. On page http://localhost/FrogCms/admin/?/user/add, add Name as "<script>alert(1)</script> and Username as "<img src=/ onerror=alert(2)>"
3. Click on Save
4. Javascript code executes on http://localhost/FrogCms/admin/?/user.
>
> [Discoverer]
> Prafull Agarwal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment