bestshow
commented
7 years ago Excuse me, is there anyone dealing with this issue?
Closed bestshow closed 7 years ago
bestshow
commented
7 years ago Excuse me, is there anyone dealing with this issue?
thebestion
commented
7 years ago not in the moment, sorry
but it is on the debug list
On 31 Mar 2017, at 13:37, bestshow notifications@github.com wrote:
Excuse me, is there anyone dealing with this issue?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cerosx/RPI.PIHome2.0-GUI-Frontend/issues/15#issuecomment-290689651, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxkktFiCvG5bCN4DPv_eDbmdBvd3270ks5rrOVogaJpZM4Mrypd.
Product: PiHome 2.0 Download: https://github.com/cerosx/RPI.PIHome2.0-GUI-Frontend Vunlerable Version: latest version Tested Version: latest version Author: ADLab of Venustech
Advisory Details: A Cross-Site Scripting (XSS) was discovered in “PiHome 2.0 latest version”, which can be exploited to execute arbitrary code. The vulnerability exists due to insufficient filtration of user-supplied data in the “c” HTTP GET parameter passed to the “RPI.PIHome2.0-GUI-Frontend-master/pihome/views/intern/footer.tpl.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox: Poc: http://localhost/.../RPI.PIHome2.0-GUI-Frontend-master/pihome/views/intern/footer.tpl.php?c=%22%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E