Cross-site Scripting (XSS) - Stored in namelessmc/nameless


Reported on

Aug 28th 2021

✍️ Description

Stored XSS in google analytics.

🕵️‍♂️ Proof of Concept

  1. goto 'http://localhost/Nameless/index.php?route=/panel/core/seo/' logged in as admin.
  2. enter "G-XXXXXXXX'); javascript:alert(1); <!--" (without quotes) into google analytics submission.
  3. Click Submit
  4. View homepage


side note: entering in "><script>alert(1);</script> instead will cause any admin who visits the SEO page to have the java script activated on them.

💥 Impact

With this vulnerability, You can run arbitrary java script on all users.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
a year ago


a fix for this would be to use getPurified as seen below for vulnerable line:

$configuration->set('Core', 'ga_script', Output::getPurified(Input::get('analyticsid')));

hexdubbers submitted a
a year ago
Sam validated this vulnerability a year ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam confirmed that a fix has been merged on 3a1fab a year ago
The fix bounty has been dropped
to join this conversation