| tiêu đề | pihome-shc PiHome HVAC 2.0 Cross Site Scripting |
|---|
| Mô tả | The web application is vulnerable to XSS attacks within the home.php. Attackers can exploit this vulnerability by injecting malicious payload in the url and steal cookies if the cookie flags are not set properly.
The code below shows (home.php from line 26) that the user input is put into the html source without sanitation. This is a high risk vulnerability.
```php
if(isset($_GET['page_name'])) {
$page_name = $_GET['page_name'];
} else {
$page_name = "homelist";
}
include("header.php");
echo '<div class="container-fluid">
<br>
<input type="hidden" id="page_link" value="'.$page_name.'">
```
The developer should escape all input properly. This is a repository wide issue. |
|---|
| Nguồn | ⚠️ https://www.singto.io/pocsforexploits/pihomehvac_xss_home.md |
|---|
| Người dùng | Jelle Janssens (UID 81048) |
|---|
| Đệ trình | 17/02/2025 08:59 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 27/02/2025 09:53 (10 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 297830 [pihome-shc PiHome 2.0 /home.php page_name Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|