We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-site Scripting (XSS) - Stored in falconchristmas/fpp

Valid

Reported on

Jun 18th 2021

✍️ Description

fpp is vulnerable to XSS through file name.

🕵️‍♂️ Proof of Concept

Access /upload.
Change the name of an image to <img src onerror=alert(document.domain)>.png.
Upload it.

💥 Impact

JavaScript code execution.

Occurrences

jqupload.php L39

Renan Rocha modified the report

2 years ago

Greg Hormann validated this vulnerability 2 years ago

Renan Rocha has been awarded the disclosure bounty

The fix bounty is now up for grabs

Greg Hormann marked this as fixed with commit 1142fc 2 years ago

Greg Hormann has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

Renan Rocha modified the report

2 years ago

Greg Hormann validated this vulnerability 2 years ago

Renan Rocha has been awarded the disclosure bounty

The fix bounty is now up for grabs

Greg Hormann marked this as fixed with commit 1142fc 2 years ago

Greg Hormann has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation