Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
Valid
Reported on
May 12th 2021
✍️ Description
In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.php#L26 you echo a user input without sanitization :
Version: <? echo $_GET['version']; ?><br>
🕵️♂️ Proof of Concept
Visit http://127.0.0.1/gitCheckoutVersion.php?version=a%3Cscript%3Ealert(%22zer0h%22);%3C/script%3E
💥 Impact
XSS
Occurrences
to join this conversation