Authors:0XB9 Risk：High CVE：CVE-2018-10366 0day:Cross-Site Scripting 0day -id:0DAY-176105 Date：2018-04-27
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
# Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting # Date: 2018-04-03 # Author: 0xB9 # Software Link: https://octobercms.com/plugin/rainlab-user # Version: 1.4.5 # Tested on: Ubuntu 17.10 # CVE: CVE-2018-10366 Persistent XSS - Go to the account page localhost/OctoberCMS/account/ - Register & enter the following for your full name <p """><SCRIPT>alert("XSS")</SCRIPT>"> - You will be alerted everytime you visit the account page localhost/OctoberCMS/account/
Update to 1.4.6