Closed
Description
Describe the bug
A Cross site scripting due to unfiltered $_GET['filter']
To Reproduce
Steps to reproduce the behavior:
- Log in as Admin
- Go to http://localhost/admin/modules/reporting/pop_chart.php?filter=2022%20%27<script>alert(%270xdc9%27);</script>
- There should be a pop that says '0xdc9'
Versions
- OS: Kali Linux(Debian) 2021
- Browser: Firefox 78.7.0.esr(64-bit)
- Slims Version: slims9_bulian-9.4.2
Vulnerable code
- pop_chart.php line 43-70
