Headline
CVE-2021-43692: Possible XSS vulnerability · Issue #3 · zxq2233/youtube-php-mirroring
youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.
I would like to report for XSS vulnerability.
// line 81 $args = array_merge( (array) $phrases[$_GET[‘e’]], $args); $error = call_user_func_array('sprintf’,$args);
// line 91 $themeReplace[‘error’] = ‘<div id="error">’ . $error . '</div>’;
// line 151 echo loadTemplate('main’, $vars);
function loadTemplate($file, $vars=array()) { // …
\# Apply theme replacements to template
$template = replaceThemeTags($template);
\# Return HTML
return $template;
}
function replaceThemeTags($template) {
global $themeReplace;
if ( ! empty($themeReplace) ) {
foreach ( $themeReplace as $tag => $value ) {
\# Make the replacement
$template = str\_replace('<!--\[' . $tag . '\]-->', $value, $template);
\# And for backwards compatability - will be removed at next major release
if ( COMPATABILITY\_MODE ) {
$template = str\_replace('<!--\[glype:' . $tag . '\]-->', $value, $template);
}
}
}
\# Return updated
return $template;
}