Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp


Reported on

Jun 2nd 2021

✍️ Description

Reflected XSS in changebranch.php where due to improper implementation of code an attacker is able to inject malicious tags

🕵️‍♂️ Proof of Concept

    $branch = escapeshellcmd($_GET['branch']);
    $command = "sudo /opt/fpp/scripts/git_branch " . $branch . " 2>&1";

    echo "Command: $command\n"; 

payload: <script>alert('XSS')</script>

💥 Impact

This vulnerability is capable of doing XSS

Greg Hormann validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Hormann marked this as fixed with commit 19c55e 2 years ago
Greg Hormann has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation