cms icon indicating copy to clipboard operation
cms copied to clipboard

Published 20 hours ago verified publisher icon gleez

XSS Vulnerability caused by Redactor 3

Open shellsniper opened this issue 6 years ago • 3 comments

The stored XSS can be triggered once you editing content by using Redactor 3 (https://imperavi.com/redactor/) plugin. it can be found in both PAGE and BLOG modules.

image

To developer: Please avoid use Redactor right now before they fix this issue.

Reference: https://github.com/gleez/cms/issues/794 https://imperavi.com/redactor/

shellsniper avatar Jul 05 '18 09:07 shellsniper

Hi,

Thank you the detailed explanation.

Can you make a pull request? So that i can merge it. If not ill be doing as early as possible.

Once again thanks for bringing to our notice.

On 05-Jul-2018, at 2:40 PM, Chenfeng Nie [email protected] wrote:

The stored XSS can be triggered once you editing content by using Redactor 3 (https://imperavi.com/redactor/) plugin. it can be found in both PAGE and BLOG modules.

To developer: Please avoid use Redactor right now before they fix this issue.

Reference: #794 https://imperavi.com/redactor/

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

anupriya17 avatar Jul 05 '18 09:07 anupriya17

@anupriya17 I'll be looking into it right now.

sandeepone avatar Jul 05 '18 10:07 sandeepone

@levoncf @anupriya17 I've disabled Redactor immediately. Will investigate into further. Feel free to share your opinions

sandeepone avatar Jul 05 '18 10:07 sandeepone