Closed OmgImAlexis closed 2 years ago
Just post it here, hopefully no one runs Unraid directly connected to the internet. No point of hiding stuff.
None of the $_GET
are escaped/sanitized leading to code injection.
http://tower.local/plugins/disklocation/pages/script/locate_script_top.js.php?v=1629174602&path=%27);%20alert(1);%20//
Actually that file has the same type of SQL issue in a few other places too https://github.com/olehj/disklocation/blob/6aa5e7a73675f4b112362621fca0eacd297e9a67/disklocation/pages/system.php#L721-L726
Hi,
What's your process for reporting security sensitive issues?