concrete5: Self Xss on File Replace

2015-03-07T15:10:05
ID H1:50481
Type hackerone
Reporter ishahriyar
Modified 2015-07-08T18:38:48

Description

In File manager there is an Replace option to replace files from three resources . 1. from computer 2.incoming 3.Remote files For remote files if we put http://example.com/"><img src=x onerror=confirm('name')>

in the url box It reflects xss. Poc: https://www.dropbox.com/s/m7pb9wiwxix1oyu/replacexss.mkv?dl=0

Thanks