Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Reported on Jun 30th 2021

✍️ Description

Reflected XSS in ping.php as IP parameter is not sanitized.

🕵️‍♂️ Proof of Concept

Vulnerable Code:
<h2>Ping <? echo $ip; ?></h2>

<h2>Ping <? echo <script>alert(1)</script> ?></h2>

💥 Impact

This vulnerability is capable of reflected XSS

We have contacted a member of the falconchristmas/fpp team and are waiting to hear back a month ago
x3rz submitted a
a month ago
Greg Hormann confirmed that a fix has been merged on 305784 24 days ago
x3rz has been awarded the fix bounty