Software link: Enhavo 0.13.1 [https://www.enhavo.com]
@author: Daniel Puente
@description: HTML Injection vulnerability in the field Author from the panel new Page -> Content-> Blockquote, of Enhavo v0.13.1 allow attackers to deface the webpage HTML via a crafted payload injected into Author field.
-
A page is added or is just edited, when editing its content, we need to create a new blockquote, where a crafted payload is given in the
Àuthorfield.
-
As a result, when saved and previewed, the HTML Injection becomes visible.
-
If accessed without the need of login (at the time of writing - 11/03/2023 - is published in [https://demo.enhavo.com/14]) it will be shown.
