Cross-site Scripting (XSS) - Stored in namelessmc/nameless

Valid

Reported on

Aug 28th 2021

✍️ Description

Stored XSS in google analytics.

goto 'http://localhost/Nameless/index.php?route=/panel/core/seo/' logged in as admin.
enter "G-XXXXXXXX'); javascript:alert(1); <!--" (without quotes) into google analytics submission.
Click Submit
View homepage

xss

side note: entering in "><script>alert(1);</script> instead will cause any admin who visits the SEO page to have the java script activated on them.

With this vulnerability, You can run arbitrary java script on all users.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago

commented 2 years ago

Researcher

a fix for this would be to use getPurified as seen below for vulnerable line:

$configuration->set('Core', 'ga_script', Output::getPurified(Input::get('analyticsid')));

hexdubbers submitted a

2 years ago

Sam validated this vulnerability 2 years ago

hexdubbers has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sam marked this as fixed with commit 3a1fab 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation