GSVoIP Web Panel Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the GSVoIP Web Panel version 2.0.90. The issue arises in the 'msg' parameter of the '/painel/gateways.php/error' endpoint, which fails to properly sanitize user input before it is reflected in the HTML response. This lack of sanitation allows remote attackers to inject arbitrary JavaScript that is executed in the context of the victim's browser. Exploitation of this vulnerability could lead to unauthorized script execution, session hijacking, phishing, or other client-side attacks.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, phishing attacks, and unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/painel/gateways.php/error' endpoint with a crafted 'msg' parameter that includes JavaScript payload, such as a script tag with an alert function. The injected script will execute in the context of the user's browser.

Remediation

To address this vulnerability, GSVoIP should implement proper output encoding for user-supplied input, use a secure templating engine with auto-escaping features, establish a strict Content Security Policy (CSP) that restricts script sources, and validate input to reject or remove parameters containing HTML tags or script elements.