Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

May 12th 2021

✍️ Description

FalconChristmas/fpp suffer from a XSS vulnerability. In https://github.com/FalconChristmas/fpp/blob/master/www/playlists.php#L15 we see :

<?
if (isset($_GET['playlist'])) {
?>
<script>
    var initialPlaylist = "<? echo $_GET['playlist']; ?>";
</script>

XSS is possible because the playlist variable isn't sanitized before reflection in the webpage.

Visit http://127.0.0.1/playlists.php?playlist=aaa%22;alert(%22zer0h%22);//

Attackers can externally shutdown the FPPD or run arbitrary FPP commands

playlists.php L15

commented 3 years ago

Admin

Any status on this?

to join this conversation

commented 3 years ago

Admin

Any status on this?

to join this conversation