Cross-site Scripting (XSS) - Stored in namelessmc/nameless


Reported on

Aug 28th 2021

✍️ Description

Stored XSS in google analytics.

🕵️‍♂️ Proof of Concept

  1. goto 'http://localhost/Nameless/index.php?route=/panel/core/seo/' logged in as admin.
  2. enter "G-XXXXXXXX'); javascript:alert(1); <!--" (without quotes) into google analytics submission.
  3. Click Submit
  4. View homepage


side note: entering in "><script>alert(1);</script> instead will cause any admin who visits the SEO page to have the java script activated on them.

💥 Impact

With this vulnerability, You can run arbitrary java script on all users.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
2 years ago


a fix for this would be to use getPurified as seen below for vulnerable line:

$configuration->set('Core', 'ga_script', Output::getPurified(Input::get('analyticsid')));

hexdubbers submitted a
2 years ago
Sam validated this vulnerability 2 years ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam marked this as fixed with commit 3a1fab 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation