You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stored XSS attacks are even more significant in websites that require authentication. When an authenticated user visits a page with stored XSS, attackers are usually able to hijack their session and perform actions on their behalf. On some websites, such as those of financial or medical institutions, this can result in financial loss or exposure of highly sensitive data.
Remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
The text was updated successfully, but these errors were encountered:
Should fix this and most likely remove the external facing link to add a family to -- only allowing additions once logged in.
Thanks for working on the fix.
Please do not remove the capability to add a family without logging in especially since content can't be restricted by user role.
Feature request: creating different user roles; restricting content viewing and editing by user roles.
Description
A stored XSS vulnerability has been found in Church CRM when the application default setting is open to register the family without the login.
"><img src=x onerror=alert(2)>
Steps To Reproduce
Logout your account and navigate to login page.
Click on Register a new Family and add the payload
"><img src=x onerror=alert(2)>
in Family name text field and register.Login to the application (Admin or others)
Navigate to Family page. (https://crm.site/v2/family) and you will get the xss alert.
Impact
Stored XSS attacks are even more significant in websites that require authentication. When an authenticated user visits a page with stored XSS, attackers are usually able to hijack their session and perform actions on their behalf. On some websites, such as those of financial or medical institutions, this can result in financial loss or exposure of highly sensitive data.
Remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
The text was updated successfully, but these errors were encountered: