Cross-site Scripting (XSS) - Stored in namelessmc/nameless
Aug 28th 2021
Stored XSS in google analytics.
🕵️♂️ Proof of Concept
- goto 'http://localhost/Nameless/index.php?route=/panel/core/seo/' logged in as admin.
- Click Submit
- View homepage
side note: entering in "><script>alert(1);</script> instead will cause any admin who visits the SEO page to have the java script activated on them.
With this vulnerability, You can run arbitrary java script on all users.