Search found 2 matches

by cervoise
Fri May 22, 2020 1:16 pm
Forum: Bugs
Topic: CVE-2016-10737
Replies: 5
Views: 709

Re: CVE-2016-10737

I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?
by cervoise
Wed May 20, 2020 2:01 pm
Forum: Bugs
Topic: CVE-2016-10737
Replies: 5
Views: 709

Re: CVE-2016-10737

Hi,

I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?