| Название | PHPGurukul News Portal v1.0 Cross Site Scripting |
|---|
| Описание | The Django News Management Application contains multiple Stored Cross-Site Scripting (XSS) vulnerabilities through unrestricted file upload functionality. The application fails to properly validate, sanitize, and restrict file types during the upload process across multiple endpoints including profile picture uploads and news post image uploads.
The vulnerability exists in three locations:
http://127.0.0.1:8000/AdminProfile
http://127.0.0.1:8000/AddSubadmin
http://127.0.0.1:8000/ViewSubadmin/9
The application accepts SVG files without content inspection or sanitization. When these files are rendered in the browser (either by viewing admin/subadmin profiles or opening images in new tabs), the embedded JavaScript executes in the security context of any user viewing the content, including other administrators. |
|---|
| Источник | ⚠️ https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md |
|---|
| Пользователь | hackerfactory (UID 85869) |
|---|
| Представление | 12.01.2026 18:31 (4 месяцы назад) |
|---|
| Модерация | 25.01.2026 18:14 (13 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 342840 [PHPGurukul News Portal 1.0 Profile Pic эскалация привилегий] |
|---|
| Баллы | 20 |
|---|