Cross-Site Scripting v0.1.5

[zxc7528064]

Affected software : flexocms CMS

Version : v.0.1.5

Type of vulnerability : XSS (Cross-Site Scripting)

Author : Noth

Description:
flexocms CMS is susceptible to cross-site scripting attacks, allowing malicious users to inject code into web pages, and other users will be affected when viewing web pages

Step 1 : login system

Step 2 : go to "admin/page/edit/4"，There is a storage type XSS in the field (page title).
"><svg/onload=alert(document.cookie)>

Step 3 : Back to the front desk ，Click "Contacts"

[jmas]

Hello, @zxc7528064. Thank you for update. I need note that Flexo CMS project currently is do not supported by me.
From my point of view - issue could be fixed on template side and to be clear - current CMS philosophy is: developer responsibility to maintain template and escape data provided by admin panel.
If you want fix template - please provide PR - I will merge it.

[zxc7528064]

@jmas Thank you for your attention to security problem !