Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. This has been fixed in 5.73.16 and 6.7.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Statamic 跨站脚本漏洞

Statamic是美国Statamic公司的一个基于 Laravel 构建的强大的平面文件 Cms。用于将所有内容、模板、资产和设置存储在文件而不是数据库中。 Statamic 5.73.16之前版本和6.7.2之前版本存在跨站脚本漏洞，该漏洞源于user:reset_password_form标签将用户输入直接渲染到HTML中而未转义，可能导致攻击者制作在受害者浏览器中执行任意JavaScript的URL。

N/A

N/A