Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki

Valid

Reported on

Sep 21st 2021


✍️ Description

Stored XSS in action

🕵️‍♂️ Proof of Concept

  1. Navigate to "index.php?action=<script>alert(1);</script>&page=Main Page"
  2. See XSS executed

xss

💥 Impact

With this vulnerability, You can run arbitrary java script on all users.

Occurences

This line directly throws user input into HTML without sanitation.

We have contacted a member of the sbrl/pepperminty-wiki team and are waiting to hear back 2 months ago
Starbeamrainbowlabs confirmed that a fix has been merged on 2e1e1d 2 months ago
The fix bounty has been dropped
100-run.php#L56 has been validated
Starbeamrainbowlabs
2 months ago

Maintainer


Thanks - that was a mistake that I should have caught earlier :P