Javascript Injection in Vending Info/Buyers Info Module in FluxCP

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

FluxCP 安全漏洞

FluxCP是rAthena开源的一个基于 web 的控制面板。用于用 PHP 编写的 rAntha 服务器。 FluxCP 1.3之前版本存在安全漏洞，该漏洞源于venders/buyers列表页面和商店名称未经过滤，允许执行任意javascript代码，这可以通过访问商店页面在用户的浏览器上实现，可能导致所有登录用户的会话信息被窃取。

N/A

N/A