CVE-2021-40923

An attacker crafts a malicious form (or a crafted URL that submits POST data) targeting the install/index.php page. The email, first_name, and last_name parameters are echoed directly into the value attribute of input fields without any sanitization or encoding [ref_id=2]. When a victim visits a page containing such a form and submits it, or is tricked into clicking a crafted link, the injected JavaScript executes in the context of the installation page. The attacker can then perform unauthorized actions, steal session information, or deface the page [ref_id=2].

The vulnerability resides in install/index.php of the pixeline/bugs repository [ref_id=1]. The advisory [ref_id=2] shows three input fields where POST parameters are echoed unsanitized: `<?php echo $_POST['first_name']; ?>`, `<?php echo $_POST['last_name']; ?>`, and `<?php echo $_POST['email']; ?>` are placed directly inside the `value` attribute of their respective `<input>` elements.

No patch is included in the bundle. The advisory [ref_id=2] identifies that the vulnerable code directly echoes $_POST values into HTML attributes without escaping. The remediation would require applying proper output encoding (e.g., htmlspecialchars() in PHP) to the email, first_name, and last_name parameters before rendering them inside the value attributes of the input fields. The project maintainers should also review all other user-controlled parameters in install/index.php for similar issues.

1. Host the following HTML form (from [ref_id=2]) on an attacker-controlled page or send it to a victim: ```html <html> <form method="POST" action="http://[target]/bugs/install/index.php"> <input name="email" value='test"/><script>alert(1)</script>'> <button>Send my greetings</button> </form> </html> ``` 2. The victim submits the form (or is tricked into doing so). 3. The injected JavaScript executes in the context of the install page, demonstrating the XSS.