noneCms
noneCms copied to clipboard
Published
20 hours ago •
nangge
nangge
NoneCMS V1.3.0 has a XSS vulnerability in admin/article/add.html
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
By default, noneCMS uses Editor.md for users to edit their articles. However, Editor.md has a XSS vulnerability. A remote user who has the right to edit articles can inject arbitrary web script or HTML in admin/article/add.html.
PoC:<img src=x onerror=alert(document.cookie)>
