Varying Vagrant Vagrants Dashboard– Cross-Site Scripting (XSS) in “favorite_plugins.php”

[bestshow]

Product: Varying Vagrant Vagrants Dashboard Download: https://github.com/topdown/VVV-Dashboard Vunlerable Version: 0.2.0 and probably prior Tested Version: 0.2.0 Author: ADLab of Venustech

Advisory Details: A Cross-Site Scripting (XSS) was discovered in “Varying Vagrant Vagrants Dashboard 0.2.0”, which can be exploited to execute arbitrary code. The vulnerability exists due to insufficient filtration of user-supplied data in the “host” HTTP GET parameter passed to the “VVV-Dashboard-master/views/forms/favorite_plugins.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox: Poc: http://localhost/.../VVV-Dashboard-master/views/forms/favorite_plugins.php?host=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22

[topdown]

These reports are ridiculous.

1. This is a local tool as in on your computer, not the web
2. Someone would have to click the link on the web that points to it and have this vagrant box running
3. It serves no purpose to XSS a local dev

There for these "exploits" are not really valid and is also why none of the globals were ever filtered. None the less I will fix them.

[bestshow]

Ok，if you think I said it was not important, when I did not say.