Описание
LGSL has a reflected XSS at /lgsl_files/lgsl_list.php
Reflected XSS at /lgsl_files/lgsl_list.php
Description:
Vulnerability: A reflected XSS vulnerability exists in the Referer HTTP header of LGSL v6.2.1. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization.
When crafted malicious input is provided in the Referer header, it is echoed back into an HTML attribute in the application’s response.
The vulnerability is present at Line 20-24
Proof of Concept:
- Capture a request to the path
/lgsl_files/lgsl_list.php. - Inject the following payload into the Referer header:
test'><script>alert(1)</script><. - Send the request.
- The XSS payload is triggered when reloading.
Impact:
Execution of Malicious Code
Пакеты
tltneon/lgsl
<= 6.2.1
Отсутствует
Связанные уязвимости
LGSL (Live Game Server List) provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the `Referer` HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the `Referer` header, it is echoed back into an HTML attribute in the application’s response. Commit 7ecb839df9358d21f64cdbff5b2536af25a77de1 contains a patch for the issue.