"Pirates of the Crayons"
Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. b54f2b451f0a0804699c4cf9f0b3a8fef0e407db (July 10th)
There is Stored XSS vulnerability in RSS Feeds
Descriptiontextarea put following payload:
Now, select added feed from
Although this issue has no such big impact as previously reported by Corben Douglas (@sxcurity) report https://hackerone.com/reports/221380 (Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)) because it requires user to enter into feed edit form - this issue introduces internal attack vector on any concrete5 user as well.
This vulnerability was tested on macOS Sierra 10.12.5 with following browsers:
I hope my report will help keep Concrete5 safe in the future.
Rafal 'bl4de' Janicki