[Security] XSS in _contactform.inc.php

**Describe the bug**
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

**To Reproduce**
Steps to reproduce the behavior:

1. Go to the page with following parameter: http://[localhost]/Detector/web/templates/_contactform.inc.php?cid=%3C/textarea%3E%3Cscript%3Ealert(1);%3C/script%3E
2. Boom!

**Screenshots**

- Attack result
![캡처](https://user-images.githubusercontent.com/26154873/132647109-0a60ec2f-eca9-4024-bd59-f153607bb335.PNG)


**Where the Issue Occurred**
The code below displays the user-controlled parameter `cid` without sufficient sanitization:
https://github.com/dmolsen/Detector/blob/f697794be555b4a2ce070a0b1265a1eb5f87fb58/web/templates/_contactform.inc.php#L22






Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] XSS in _contactform.inc.php #35

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security] XSS in _contactform.inc.php #35

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions