Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5
Feb 12th 2022
https://github.com/gnuboard/gnuboard5/blob/v5.4.22/mobile/shop/lg/mispwapurl.php#L7 has no filtering for the variable.
So, Attackers can trigger Reflected XSS via
Proof of Concept
Attacker can execute arbitrary JS code execution.
We are processing your report and will contact the gnuboard/gnuboard5 team within 24 hours. a year ago
We have sent a second follow up to the gnuboard/gnuboard5 team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the gnuboard/gnuboard5 team. This report is now considered stale. a year ago
gnuboard validated this vulnerability a year ago
SeungHyun Kim has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation