Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Reported on May 12th 2021

✍️ Description

FalconChristmas/fpp suffer from a XSS vulnerability. In we see :

if (isset($_GET['playlist'])) {
    var initialPlaylist = "<? echo $_GET['playlist']; ?>";

XSS is possible because the playlist variable isn't sanitized before reflection in the webpage.

🕵️‍♂️ Proof of Concept


💥 Impact

Attackers can externally shutdown the FPPD or run arbitrary FPP commands