Easy Transfer Wifi Transfer Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Easy Transfer Wifi Transfer version 1.7 for iOS. This vulnerability allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters within the Create Folder and Move/Edit functions. The issue arises from inadequate input validation, enabling the execution of arbitrary JavaScript in the context of the mobile web application.

Impact

Exploitation of this vulnerability allows for session hijacking, persistent phishing attacks, unauthorized external redirects to malicious sources, and manipulation of affected application modules.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Create Folder or Move/Edit functions with injected script code in the oldPath, newPath, and path parameters. The injected script will be executed in the context of the application.