Describe the bug
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
This server is only ever run during Spotify setup, and there is no information to steal on this page.
EDIT: Further info: I don't think this is a necessary fix, though it should be simple enough to sanitize the string. I don't plan to make any changes here. Thank you for reporting this, though!
Describe the bug
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
To Reproduce
Steps to reproduce the behavior:
Where the Issue Occurred
The code below displays the user-controlled parameter
errorwithout sufficient sanitization:Spotify-for-Alfred/callback.php
Line 50 in 941631e
The text was updated successfully, but these errors were encountered: