Cross-site Scripting (XSS) - Reflected in erikdubbelboer/phpredisadmin


Reported on

Aug 23rd 2021

✍️ Description

The application is vulnerable to XFS attack.

🕵️‍♂️ Proof of Concept

Navigate to https://domain.tld/phpRedisAdmin/?

The page will be loaded in an iframe on the page.

💥 Impact

Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker’s page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.


We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 2 years ago
Erik Dubbelboer marked this as fixed with commit e24eca 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation