CVE-2021-43696

An attacker can send a crafted HTTP request to `list.php` with a malicious payload in the `sEcho` parameter of the query string or POST body. The script reads this value from `$_REQUEST['sEcho']` and embeds it into the JSON response that is printed to the user via `exit(json_encode($response))` [ref_id=1]. Because the value is not sanitized, an attacker can inject JavaScript that executes in the victim's browser when the response is rendered.

The vulnerable file is `twmap_gen/list.php` in the twmap project (version v2.91_v4.33). At line 33, the script assigns `$_REQUEST['sEcho']` directly into the `$response` array and then passes the entire response through `json_encode()` and `exit()` [ref_id=1]. The `$_REQUEST` value is not sanitized or escaped before being output.

The advisory does not include a published patch or fix commit [ref_id=1]. To remediate the vulnerability, the `$_REQUEST['sEcho']` value should be sanitized or HTML-encoded before being placed into the JSON response, or the application should validate that the input contains only expected characters (e.g., a numeric echo identifier) rather than arbitrary user-controlled strings.