Headline
CVE-2021-46709: XSS vulnerability
phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number).
Issue #399 new
110013 created an issue 2021-08-21
Hi, we found one XSS vulnerability in phpLiteAdmin/index.php.
Line 2667 in index.php assigns $_GET to variablele $number if the $_GET is set. Line 2670 then echo variable $number directly.
if(isset($\_GET\['newRows'\]))
$num = $\_GET\['newRows'\];
else
$num = 1;
echo "<input type='hidden' name='newRows' value='".$num."'/>";
for($j=0; $j<$num; $j++)
The $number is inside a input tag, the attacker can set $_GET to 3'/> <script> alert(1) </script>'/> to perform XSS attack.