Search found 2 matches
- Fri May 22, 2020 1:16 pm
- Forum: Bugs
- Topic: CVE-2016-10737
- Replies: 5
- Views: 6330
Re: CVE-2016-10737
I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?
- Wed May 20, 2020 2:01 pm
- Forum: Bugs
- Topic: CVE-2016-10737
- Replies: 5
- Views: 6330
Re: CVE-2016-10737
Hi,
I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?
I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?