✍️ Description

Hi, in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/rebootRemoteFPP.php#L15 the variable ip is reflected without prior sanitization :

$ip = $_GET['ip'];

echo "Rebooting FPP system @ $ip\n";

🕵️‍♂️ Proof of Concept

Visit : http://127.0.0.1/rebootRemoteFPP.php?ip=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E

💥 Impact

XSS