Cross-site Scripting (XSS) - Reflected in sbrl/pepperminty-wiki


Reported on

Sep 21st 2021

✍️ Description

Stored XSS in action

🕵️‍♂️ Proof of Concept

  1. Navigate to "index.php?action=<script>alert(1);</script>&page=Main Page"
  2. See XSS executed


💥 Impact

With this vulnerability, You can run arbitrary java script on all users.


This line directly throws user input into HTML without sanitation.

We have contacted a member of the sbrl/pepperminty-wiki team and are waiting to hear back 2 years ago
Starbeamrainbowlabs marked this as fixed with commit 2e1e1d 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
100-run.php#L56 has been validated
2 years ago


Thanks - that was a mistake that I should have caught earlier :P

to join this conversation