Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

An XSS vulnerability is present in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.php#L26 due to absence of user input sanitization :

Image: <? echo $_GET['os']; ?><br>

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/upgradeOS.php?os=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E

💥 Impact

XSS