Open source project displaying live aircrafts, ships or trackers on 2D/3D map. Browse through the data based on a particular aircraft, airline, airport, tracker or vessel to search through the database or see extensive statistics. Can use ADS-B in SBS1 format (dump1090, Radarcape,...), VRS, VA (VATSIM, IVAO whazzup.txt, phpvms,...), ACARS (acarsdec, acarsdeco2), APRS, AIS as datasource.
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim's browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
The Issue
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim's browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
Where the Issue Occurred
The following code shows that the
$_GET['registration']variable is reflected to the victim's browser without any input validation, leading to reflected XSS: https://github.com/Ysurac/FlightAirMap/blob/aee2fd646e98a96b6125a83a1a05fc5adf202447/registration-sub-menu.php#L18An example payload for the registration variable is given below: