Contributor + Stored Cross Site Scripting

  • Resolved Siamocreativi

    (@siamocreativi)


    2 years, 5 months ago

    Good morning, my website security plugin noticed that Download Manager <=3.2.47 have a Contributor + Stored Cross Site Scripting vulnerability.

    The problem still persist form the last two updates of the plugin.

    Is there a fix in progess?
    Is it safe to use the plugin?

    My website is a private website protected by two factor authentication login, could xss still be injected into login protected website?
    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Shafaet Alam

    (@shafayat-alam)

    Hi,
    The issue is fixed in 3.2.47 already, the notice is a false positive. Also, even if the issue exist, it is only exploitable by admin himself or the users, who are authorized by admin to create posts. So, if your website doesn’t have untrustworthy author, you have nothing to worry about for such issue.

    However, we already have fixed this issue and your are safe with using the plugin.

    Thread Starter Siamocreativi

    (@siamocreativi)

    Hello,
    thank you for your answer.

    I hope that you’ll solve this false positive problem too because is annoying receive twice a day an alert from our security plugin about a vulnerable software.
    Our client receives the same communication and rightly contacts us to find out if there are any problems.

    Thanks

    Anonymous User 17160716

    (@anonymized-17160716)

    Shafaet Alam,

    Also, even if the issue exist, it is only exploitable by admin himself or the users, who are authorized by admin to create posts.

    Contributor is a low-privilege user role, so it’s a bit odd that you’re trying to say it doesn’t mean anything.

    Plugin Contributor Shafaet Alam

    (@shafayat-alam)

    it is already fixed

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Contributor + Stored Cross Site Scripting’ is closed to new replies.