Description

Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently.

Vuln one :

It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The malicious code is triggered on almost every page of the site.

Vuln two :

It's possible to inject javascript code in "Contact information" parameter in admin's edit config form. The malicious code is triggered on contact page.

Proof of Concept

Vuln one :

The edit config form is located at : https://{ENDPOINT}/admin/?action=config

Put this payload in "URL of your FAQ" box :

"><img src=x onerror=alert(document.domain)>

Be careful when you reproduce this issue, this will broke major part of website's pages.

Vuln two :

The edit config form is located at : https://{ENDPOINT}/admin/?action=config

Put this payload in "Contact Information" box :

"><img src=x onerror=alert(document.domain)>

Go to https://{ENDPOINT}/index.php?action=contact and see the xss triggered !

Impact

Stored XSS, client-side javascript code execution.