Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

Jun 30th 2021

✍️ Description

Reflected XSS in ping.php as IP parameter is not sanitized.

🕵️‍♂️ Proof of Concept

Vulnerable Code:
<h2>Ping <? echo $ip; ?></h2>

Payload:
<h2>Ping <? echo <script>alert(1)</script> ?></h2>

💥 Impact

This vulnerability is capable of reflected XSS

Occurrences

We have contacted a member of the falconchristmas/fpp team and are waiting to hear back 2 years ago
x3rz submitted a
patch
2 years ago
Greg Hormann marked this as fixed with commit 305784 2 years ago
x3rz has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation