Stored XSS in profile page

Description:
Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile.

Vulnerability Type: Stored XSS

Attack Vectors:

1. Go to your profile page editor https://demo.gleezcms.org/user/edit
2. Set your home page URL to : http://x.x/<svg onload=alert(document.cookie)>

Now when someone will check your profile page, alert(document.cookie) will be executed.

[anupriya17]

Thank you for pointing out. We’re looking into an xss library to be used to clean the data Very soon we will update.

…

On 18-Jul-2018, at 4:35 PM, DrStacheWH ***@***.***> wrote: Description: Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile. Vulnerability Type: Stored XSS Attack Vectors: Go to your profile page editor https://demo.gleezcms.org/user/edit Set your home page URL to : http://x.x/<svg onload=alert(document.cookie)> Now when someone will check your profile page, alert(document.cookie) will be executed. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[NicoleG25]

Has there been an update regarding this vulnerability?
Thanks.