This repository has been archived by the owner on Jan 27, 2023. It is now read-only.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
Summary
The parameter
$notesis not sanitized after querying from database, so attackers can create a stored XSS attack.How to reproduce
curl http://<domain.tld>/notes.php --data 'file=1¬es=<script>alert(1)</script>' --cookie 'PHPSESSID=<session_id>'http://<domain.tld>/notes.php?file=1while logged inDetail
The bug exists since
$noteswas assigned to result of database query without sanitizinghttps://github.com/mkucej/i-librarian/blob/master/notes.php#L27
https://github.com/mkucej/i-librarian/blob/master/notes.php#L53
The text was updated successfully, but these errors were encountered: