User input is embedded in admin interface through jQuery's unsafe prepend() method. This leads to Cross-site Scripting attack.
The vulnerability is in https://github.com/jofpin/trape/blob/master/static/js/trape.js#L594. The vulnerable parameters are country, query, refer sent in POST /register request.
Overview
User input is embedded in admin interface through jQuery's unsafe
prepend()method. This leads to Cross-site Scripting attack.The vulnerability is in https://github.com/jofpin/trape/blob/master/static/js/trape.js#L594. The vulnerable parameters are
country, query, refersent inPOST /registerrequest.Proof of concept
python trape.py --url example.com --port 8080Control Panel link, we seealert()box.The text was updated successfully, but these errors were encountered: