Description
Current version of Firefly III Version 4.7.17.2 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in search query. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user open this link.
This can be easely reproduced in Mozilla Firefox and if you want to reproduce it in Chrome you should first turn off XSS auditor in IT
Request
http://insert your host here/search?q=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
PoC image
The text was updated successfully, but these errors were encountered:
Description
Current version of Firefly III Version 4.7.17.2 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in search query. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user open this link.
This can be easely reproduced in Mozilla Firefox and if you want to reproduce it in Chrome you should first turn off XSS auditor in IT
Request
http://
insert your host here/search?q=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3EPoC image

The text was updated successfully, but these errors were encountered: