Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

Jun 2nd 2021

✍️ Description

Reflected XSS in changebranch.php where due to improper implementation of code an attacker is able to inject malicious tags

🕵️‍♂️ Proof of Concept

    $branch = escapeshellcmd($_GET['branch']);
    $command = "sudo /opt/fpp/scripts/git_branch " . $branch . " 2>&1";

    echo "Command: $command\n"; 

payload: <script>alert('XSS')</script>

💥 Impact

This vulnerability is capable of doing XSS

Occurrences

changebranch.php L25

Greg Hormann validated this vulnerability 2 years ago

x3rz has been awarded the disclosure bounty

The fix bounty is now up for grabs

Greg Hormann marked this as fixed with commit 19c55e 2 years ago

Greg Hormann has been awarded the fix bounty

This vulnerability will not receive a CVE