-
-
Notifications
You must be signed in to change notification settings - Fork 92
-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Stored XSS #38
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Tested version: 8c2c8909 (latest)
Steps to reproduce the vulnerability:
" <script>alert(document.domain)</script>
as website name.Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.
In order to test this, just click logout and reload the page.
The text was updated successfully, but these errors were encountered: