Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp


Reported on

May 29th 2021

✍️ Description

Hi, there are 2 potential reflected XSS in :

$ip = $_GET['ip'];

if (isset($_GET['mode'])) {
    echo "Setting FPPD mode @ $ip\n";

echo "Restarting FPPD @ $ip\n";

The ip variable is reflected without any sanitization.

🕵️‍♂️ Proof of Concept

Visit or visit the same URL and add &mode=

💥 Impact


to join this conversation