Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021

Description

Stored xss

Proof of Concept

Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1hyN4X9gIgQJH2B5QEFhkniGt78sIw1iF/view?usp=sharing

Impact

Xss allow to arbitary javascript code execution

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立

commented 2 years ago

Maintainer

The CKEDITOR has removed the on event.

邹景立 validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 94b9b6 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

邹景立

commented 2 years ago

Maintainer

Just update the configuration file of ckeditor.

邹景立

commented 2 years ago

Maintainer

https://github.com/zoujingli/ThinkAdmin/blob/v6/public/static/plugs/ckeditor/config.js#L17

to join this conversation

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立

commented 2 years ago

Maintainer

The CKEDITOR has removed the on event.

邹景立 validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 94b9b6 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

邹景立

commented 2 years ago

Maintainer

Just update the configuration file of ckeditor.

邹景立

commented 2 years ago

Maintainer

https://github.com/zoujingli/ThinkAdmin/blob/v6/public/static/plugs/ckeditor/config.js#L17

to join this conversation