Issue: |
|
---|---|
Date: |
|
Severity: | Low |
Requires Admin Access: | Yes |
Fix Version: | n/a |
Credit: | Internal Security Team |
Description: |
A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML page. The script below will cause a JavaScript alert box to pop up on the page that includes the contents of the site's cookies: |
Mitigation: |
Once a user is authenticated in the dotCMS admin console, they are treated as a trusted user. If this is not the case, we would recommend limiting the administrative access to an ip range. |