Lucene search

K

Ranjit-gitA1F05BE5-24ED-4EC5-9858-FCE4233F7BB1

HistorySep 23, 2023 - 5:58 p.m.

stored xss using journal-role when user try to export user of any journal

2023-09-2317:58:52

ranjit-git

www.huntr.dev

10

xss vulnerability

journal role

user export

admin account

AI Score

7

Confidence

Low

EPSS

0

Percentile

14.0%

BUG

stored xss using journal-role when user try to export user of any journal

SUMMURY

lower level user can attack higher level user using this xss

STEP TO REPRODUCE

1. from Admin account create a journal called “journal-A” .

2. Admin goto above journal http://localhost/ojs/index.php/dddd/management/settings/access#users and add a new user called “user-B” with role “Production editor” .

3. Now from user-B goto “user & role” of above journal-A http://localhost/ojs/index.php/dddd/management/settings/access#roles and create a new role with xss payload xss"''><img src> in “Role Name” field .

4. Now goto admin account and goto above journal-A then Statistics->Users . here url look like http://localhost/ojs/index.php/dddd/stats/users/users.\
Here admin try to export the users and xss is executed

AI Score

7

Confidence

Low

EPSS

0

Percentile

14.0%

Related for A1F05BE5-24ED-4EC5-9858-FCE4233F7BB1

cve1 prion1 cvelist1 osv1 nvd1