AllskyTeam AllSky Cross-Site Scripting Vulnerability in Allsky Settings Panel
Vulnerability
A stored cross-site scripting vulnerability has been identified in AllskyTeam AllSky version 2024.12.06_06. This issue allows remote attackers to execute arbitrary JavaScript by injecting scripts into the config, filename, or extratext parameters of the allskySettings.php page. The injected scripts are executed when the page is loaded, through the showMessages() function in status_messages.php, which displays error messages and executes the injected code.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of users who access the Allsky Settings page, including administrators.
Reproduction
To reproduce this vulnerability, log into the Allsky Web UI and navigate to the Allsky Settings panel. Intercept the POST request using Burp Suite and inject a script payload, such as a SVG image with an 'onload' event, into the config, filename, or extratext parameters. Once the form is submitted, the injected script will execute when the Allsky Settings page is reloaded.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.