Details
================
Software: BP Group Documents
Version: 1.2.1
Homepage: http://wordpress.org/plugins/bp-group-documents/
CVSS: 8 (High; AV:N/AC:L/Au:S/C:P/I:P/A:C)
Description
================
Stored XSS vulnerability in BP Group Documents 1.2.1
Vulnerability
================
“Display name” and “Description” fields are not escaped, meaning any
tags including script tags can be stored in them.
Proof of concept
================
Go to the upload form, select a document to upload, set the “Display
name” to “photograph of a cute puppy
评论关闭。