| 제목 | Automad Automad CMS <= 1.10.9 Stored Cross-Site Scripting (XSS) |
|---|
| 설명 | Finding Name: Multiple Stored Cross-site scripting (XSS)
Description: It was discovered that the application does not validate user input and lacks implementation of sanitization for several parameters, leaving it susceptible to Cross-Site Scripting (XSS) attacks.
Affected Parameters:
General Data
- sitename
Default Template Setting:
- ogImage
- itemsHeader
- brand
- placeholderSearch
- iconNav
- itemsFooter
- SearchResults
Default Colors:
- colorPageText
- colorPageBackground
- colorPageBorder
- colorCardText
- colorCardBackground
- colorCardBorder
- colorCodeBackground
- colorNavbarText
- colorNavbarBackground
- colorNavbarBorder
Affected Files:
- packages\standard\templates\post.php (Line: 6, 22, 67, 76)
- packages\standard\templates\elements\navbar.php (Line: 19, 35, 65,
- packages\standard\templates\elements\icon_title.php (Line: 1)
- packages\standard\templates\elements\colors.php (Line: 1-10)
- packages\standard\templates\elements\colors_header.php (Line: 1-3)
Step To Reproduce:
1. Login to the application and navigate to the “General Data and Files” menu
2. Input the payload on the affected fields or parameter such as `<svg onload=alert("Sitename")// |
|---|
| 원천 | ⚠️ https://github.com/screetsec/VDD/tree/main/Automad%20CMS/Stored%20Cross%20Site%20Scripting%20(XSS) |
|---|
| 사용자 | Maland (UID 59886) |
|---|
| 제출 | 2023. 12. 09. PM 06:07 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 12. 21. AM 09:19 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 248684 [automad 까지 1.10.9 Setting post.php sitename 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|