Description

The application uses Purifier to avoid the Cross Site Scripting attack. However, On LayoutEditor module from Settings, the type of fieldModel->label parameter is “Text” but it is not validated and it’s used directly without any encoding or validation on LayoutEditor/EditField.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

Proof of Concept

1. 1- Login to the application
2. 2- Access the LayoutEditor Module via the following URL:
3. https://gitstable.yetiforce.com/index.php?module=LayoutEditor&parent=Settings&view=Index
4. 3- Click to the button “Edit”,
   Change the value of “label” parameter with the following payload:

LayoutEditor" onfocus="alert(document.domain)" autofocus ""="

**Inject the payload

PoC Video

https://drive.google.com/file/d/1TCHCCuLC_3pJ9VMaDvRWmlab58eOY8aI/view?usp=sharing