{“lastseen”:”2026-05-28T15:06:17″,”description”:”WebFileSys version 2.31.1 suffers from multiple cross site scripting vulnerabilities…”,”published”:”2026-05-28T00:00:00″,”modified”:”2026-05-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WebFileSys 2.31.1 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:222116″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-29971″],”sourceData”:”# CVE-2026-29971\\n An attacker can execute arbitrary JavaScript in the victim’s browser, potentially leading to session hijacking or privilege escalation.\\n # CVE-2026-29971\\n \\n ## Vulnerability\\n Reflected Cross-Site Scripting (XSS)\\n \\n ## Affected Product\\n WebFileSys\\n \\n ## Affected Version\\n 2.31.1\\n \\n ## Description\\n A reflected cross-site scripting vulnerability exists in WebFileSys\\n version 2.31.1. User-controlled input is reflected into HTML and\\n JavaScript contexts without proper output encoding, allowing an\\n attacker to execute arbitrary JavaScript in the victim’s browser.\\n \\n ## Impact\\n An attacker may exploit this issue by inducing a victim to interact\\n with a crafted request or link. Successful exploitation can lead to:\\n \\n – Session hijacking\\n – Credential theft\\n – Unauthorized actions within the authenticated session\\n \\n ## Affected Components\\n – ftpBackup functionality\\n – authentication input handling\\n – search functionality\\n – error message rendering\\n \\n ## Steps to Reproduce\\n \\n 1. Navigate to the WebFileSys login page.\\n 2. Inject the following payload in the affected parameter.\\n \\n Example payloads which worked:\\n \\u003cIMG SRC=\\\\\\”javascript\\u0026#058;alert(‘XSS’)\\\\\\”, \\n %3CScRiPt%3Ealert(1)%3C%2FsCriPt%3E, \\n \\u003c%\\u003c!–‘%\\u003e\\u003cscript\\u003ealert(1);\\u003c\/script –\\u003e\\n \\n \\n 3. Submit the request.\\n 4. The payload is reflected and executed in the browser.\\n \\n ## CVE\\n CVE-2026-29971\\n \\n ## Discoverer\\n Tharun Teja Chidurala\\n \\n ## References\\n https:\/\/www.cve.org\/CVERecord?id=CVE-2026-29971\\n \\n \\n \\n — packet storm appended poc —\\n \\n # Proof of Concept\\n \\n Payload:\\n \\u003cscript\\u003ealert(1)\\u003c\/script\\u003e\\n \\n Injected into:\\n – login username field\\n – search input\\n – ftpBackup parameter\\n \\n Result:\\n JavaScript executes in the browser context due to improper output encoding.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222116″,”cvss”:{“score”:6.1,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222116\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-28T15:06:17″,”description”:”WebFileSys version 2.31.1 suffers from multiple cross site scripting vulnerabilities…”,”published”:”2026-05-28T00:00:00″,”modified”:”2026-05-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WebFileSys 2.31.1 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:222116″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-29971″],”sourceData”:”# CVE-2026-29971\\n An attacker can execute arbitrary JavaScript in the victim’s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,31,12,21,13,53,7,11,5],"class_list":["post-57766","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-61","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n