SVX Portal Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in SVX Portal version 2.7A, specifically in the Recivers.php file. The vulnerability arises from the id parameter in the query string, which is directly echoed into HTML element IDs without proper validation or encoding. This flaw allows attackers to inject malicious scripts that execute in the context of the user's browser, potentially leading to cookie theft, user impersonation, and other attacks.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the affected site, accessible to any user who visits the crafted URL. This could result in session cookie or authentication token theft, allowing attackers to impersonate users or perform actions on their behalf.

Reproduction

To reproduce this vulnerability, craft a URL that includes an attribute-breaking payload in the id parameter. When the URL is visited, the injected script will execute, demonstrating the XSS vulnerability.