Issues » XSS possible after admin authentication

Issue: SI-5
Date: Jun 2, 2013, 8:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: n/a
Credit: Internal Security Team

A number of user input fields within the administrative portal of the application were discovered to accept arbitrary user input that could be returned to the page. One example location where a script could be injected is the page title field of a new HTML page. The script below will cause a JavaScript alert box to pop up on the page that includes the contents of the site's cookies:



Once a user is authenticated in the dotCMS admin console, they are treated as a trusted user. If this is not the case, we would recommend limiting the administrative access to an ip range.