Open everping opened 5 years ago
The parameter project is not sanitized, so attackers can poison this parameter and then create a reflected XSS attack.
project
http://domain.tld/display.php?browse[]=all&project=1">test</a><script>alert(123)</script>&select=desk&_=1555500329996
The flaw exists since $project was assigned to a GET parameter without sanitizing
$project
https://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L15
then, $project was printed without escaping https://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L326
Thank you. This will be fixed in the next version.
@mkucej Can you assign this flaw a CVE?
Summary
The parameter
project
is not sanitized, so attackers can poison this parameter and then create a reflected XSS attack.PoC
http://domain.tld/display.php?browse[]=all&project=1">test</a><script>alert(123)</script>&select=desk&_=1555500329996
Details
The flaw exists since
$project
was assigned to a GET parameter without sanitizinghttps://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L15
then,
$project
was printed without escaping https://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L326