Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

FalconChristmas/fpp suffer from a XSS vulnerability. In https://github.com/FalconChristmas/fpp/blob/master/www/playlists.php#L15 we see :

<?
if (isset($_GET['playlist'])) {
?>
<script>
    var initialPlaylist = "<? echo $_GET['playlist']; ?>";
</script>

XSS is possible because the playlist variable isn't sanitized before reflection in the webpage.

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/playlists.php?playlist=aaa%22;alert(%22zer0h%22);//

💥 Impact

Attackers can externally shutdown the FPPD or run arbitrary FPP commands