XSS ist possible in the admin part of the comments extensions.

 1. Post a Comment with say "<script>alert("oh my xss")</script>"
 2. Login as admin, goto comments tab
 3. you see...

In the frontend, the output is handled correctly.
This gives an attacker the possibility to take over an admin account.


Attachment: signature.asc
Description: PGP signature

Radiant mailing list
Post:   Radiant@radiantcms.org
Search: http://radiantcms.org/mailing-list/search/
Site:   http://lists.radiantcms.org/mailman/listinfo/radiant

Reply via email to