Closed seongil-wi closed 3 years ago
Well, besides this XSS, there are a lot of other weird problems in the demo files. Therefore, they are disabled by default. https://github.com/JamesHeinrich/getID3/blob/4e02ed09c081a606c734c6b27d1b504fecfe402f/demos/demo.mysqli.php#L15 But in any case, this will be fixed in #342. Thanks!
Describe the bug Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
To Reproduce Steps to reproduce the behavior:
Where the Issue Occurred The code below displays the user-controlled parameter
showtagfiles
without sufficient sanitization: https://github.com/JamesHeinrich/getID3/blob/4e02ed09c081a606c734c6b27d1b504fecfe402f/demos/demo.mysqli.php#L1500