Issues » XSS possible after admin authentication

Issue: SI-5
Date: Jun 2, 2013 12:00:00 PM
Severity: Low
Requires Admin Access: Yes
Fix Version: n/a
Credit: Internal Security Team
Description:

A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML page. The script below will cause a JavaScript alert box to pop up on the page that includes the contents of the site's cookies:

test</title></head><body><script>alert(document.cookie)</script><!--


Workaround:

Once a user is authenticated in the dotCMS admin console, they are treated as a trusted user. If this is not the case, we would recommend limiting the administrative access to an ip range.  

Back to the top