An attacker can leverage this vulnerability to conduct XSS attacks against users of the site via client-side scripting languages such as JavaScript or Python. It is highly recommended that you do not trust the user input and always validate it using a sanitizing plugin or filter. The code should also be placed within a try/catch block to block potential code execution in case of a server error.


Another critical issue with this version of the site is the lack of escaping data in the URL via the component /index.php?page=. This makes it possible for attackers to inject script codes and steal sensitive data from the site. It is recommended that you avoid using un-escaped characters in the URL path.


A total of 13 critical issues were discovered by security researchers Gustavo Padovan of Google and Rocco Tait of Digital Security. The latest version of this project does not address any of these issues.

Version 3 – High risk of XSS and CSRF attacks

The latest version of this project does not address any of the previous vulnerabilities. While this might be a good thing in some cases, it makes the system more susceptible to XSS and CSRF attacks. As a result, it is highly recommended that you avoid using this version of the website until a proper fix is released.

Rank of Site:

The site scored a D+ on the OWASP Top 10 project. The site scored a C- on the Tango issue tracker.

Timeline

Published on: 09/22/2022 22:15:00 UTC
Last modified on: 09/26/2022 14:14:00 UTC

References