Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp


Reported on

May 12th 2021

✍️ Description

FalconChristmas/fpp suffer from a XSS vulnerability. In we see :

if (isset($_GET['playlist'])) {
    var initialPlaylist = "<? echo $_GET['playlist']; ?>";

XSS is possible because the playlist variable isn't sanitized before reflection in the webpage.

🕵️‍♂️ Proof of Concept


💥 Impact

Attackers can externally shutdown the FPPD or run arbitrary FPP commands

Jamie Slome
3 years ago


Any status on this?

to join this conversation