Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

Jun 30th 2021


✍️ Description

Reflected XSS in ping.php as IP parameter is not sanitized.

🕵️‍♂️ Proof of Concept

Vulnerable Code:
<h2>Ping <? echo $ip; ?></h2>

Payload:
<h2>Ping <? echo <script>alert(1)</script> ?></h2>

💥 Impact

This vulnerability is capable of reflected XSS

Occurrences

We have contacted a member of the falconchristmas/fpp team and are waiting to hear back a year ago
x3rz submitted a
a year ago
Greg Hormann confirmed that a fix has been merged on 305784 a year ago
x3rz has been awarded the fix bounty
to join this conversation