Cross-site Scripting (XSS) - Stored in falconchristmas/fpp


Reported on

Jun 18th 2021

✍️ Description

fpp is vulnerable to XSS through file name.

🕵️‍♂️ Proof of Concept

  1. Access /upload.
  2. Change the name of an image to <img src onerror=alert(document.domain)>.png.
  3. Upload it.

💥 Impact

JavaScript code execution.

Renan Rocha modified the report
2 years ago
Greg Hormann validated this vulnerability 2 years ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Hormann marked this as fixed with commit 1142fc 2 years ago
Greg Hormann has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation