PiHome SHC Cross-Site Scripting Vulnerability in Home.php
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in PiHome SHC version 2.0, specifically within the home.php file. The issue arises from the improper handling of the 'page_name' parameter, which allows attackers to inject malicious scripts that could be executed in the context of the user's browser. This vulnerability can be exploited remotely, without the need for authentication, although it does require user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to cookie theft or other malicious actions, depending on the nature of the injected script.
Reproduction
To reproduce this vulnerability, navigate to the home.php file and manipulate the 'page_name' parameter in the URL. Inject a script payload that could be executed in the browser. The injected script will run as if it originated from the trusted site, potentially leading to cookie theft or other malicious actions.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.