Cross-site Scripting (XSS) - Reflected in kunstmaan/kunstmaanbundlescms

Valid

Reported on

Nov 20th 2021


Description

In kunstmaan / kunstmaanbundlescms ,extra metadata in seo form is vulnerable to reflected cross site scripting.

Proof of Concept

  1. login to the demo account

  2. go to pages -->select any page to edit --> go to SEO --->

  3. Add payload to extra meta data and click save and see the preview an xss alert is triggered.

payload = "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user cookies.

We are processing your report and will contact the kunstmaan/kunstmaanbundlescms team within 24 hours. 14 days ago
We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 13 days ago
kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 13 days ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
kunstmaan/kunstmaanbundlescms maintainer confirmed that a fix has been merged on b58d64 12 days ago
The fix bounty has been dropped