Cross-site Scripting (XSS) - Generic in emoncms/emoncms
Jul 17th 2021
Line 94 of
theme.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at
theme.php at line 94.
🕵️♂️ Proof of Concept
$q = ""; if (isset($_GET['q'])) $q = $_GET['q']; //get in line 16 echo $q; //print in line 94
The attacker can:
Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.