Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
Jun 26th 2021
?tab= parameter is vulnerable to Cross Site Scripting. Line 1974 of
backup.php sends unvalidated data to a web browser, which can result in the browser executing malicious code of XSS.
🕵️♂️ Proof of Concept
- Just visit
/settings.php?tab=</script><script>alert(1)and XSS will be pop up.
The attacker can:
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.