Closed enferas closed 2 years ago
CVE-2021-43686 is assigned to this discovery.
nZEDb v0.4.20 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].
You are mistaken, there is no vulnerability here. Look closer at the nzedb/utility/Misc.php code, lines 1025-1027. The passed in message is replaced with a simpler but safe version which does not include the user input. The user input is passed to the ShowApiError method so that we can add logging for it later when the api is rewritten.
Hello,
I would like to report for XSS vulnerability.
The path of the vulnerability
file www/pages/api.php line 49
file nzedb/utility/Misc.php in line 991
exit function will terminate the script and print the message which has the input $_GET['t']. Then there is XSS vulnerability.