CVE-2020-15016_Nedi XSS

[Description]
NeDi 1.9C is vulnerable to reflected cross-site scripting. The
Other-Converter.php file improperly validates
user input. An attacker can exploit this
vulnerability by crafting arbitrary JavaScript
in the txt GET parameter.

------------------------------------------

[Additional Information]
Step To Reproduce-:

1. Login with the credential.
2. Go to https://ip-nedi/Other-Converter.php?txt="><script>alert(document.domain)</script>

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
Nedi-FindIt

------------------------------------------

[Affected Product Code Base]
Nedi - 1.9C

------------------------------------------

[Affected Component]
Other-Converter.php

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
An attacker can exploit this vulnerability by crafting arbitrary
javascript ("><script>alert(document.domain)</script>) in `txt` GET
parameter of Other-Converter.php resulting in execution of the
javascript. Due to this flaw, an attacker can hijack the user's
session.

------------------------------------------

[Reference]
http://www.nedi.ch/download/

------------------------------------------

[Discoverer]
Preetham Bomma