Stored XSS in Page Title in omeka/omeka-s
Aug 5th 2023
At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that It's still not escaped yet.
Proof of Concept
Step 1: Login as Admin, create a page in
site1 with the title
">test<img src=x onerror=prompt(1)> and see that the page title has been escaped and cannot trigger the XSS payload.
Step 2: User1 with the
Step 3: Login as User1 and go to view the page of
site1 and see that the payload is triggered.
The attacker can compromise user account