Reflected XSS via unescaped $_GET['id'] in attribute context in SVX Portal V.2.7A

Severity: High — CVSS 3.1 Base Score 7.5.
Justification: The application reflects user-controlled input directly into HTML element IDs inside attribute context without any output encoding or validation. This allows an attacker to inject attribute-breaking payloads that execute arbitrary JavaScript in victims’ browsers, enabling cookie/token theft, DOM clobbering, user impersonation, and further chained attacks. The vulnerability is trivial to exploit with a single crafted URL and affects any user who visits the URL.

Affected file / component: Recivers.php (HTML generation that emits element id attributes using $_GET['id']).

Vulnerable parameter(s): id (query string).
Affected request example: GET /Recivers.php?id=<payload>

Vulnerability Description

This is a reflected Cross-Site Scripting (XSS) vulnerability. The application inserts the value of the id query parameter directly into multiple HTML element id attributes without encoding or validating it. Because these values are placed inside attribute contexts, a malicious value can break out of the attribute and inject arbitrary HTML or JavaScript into the page. When a victim loads the crafted URL, the injected script runs in the origin of the vulnerable site, with access to cookies, local storage, DOM, and any privileged JavaScript APIs available to that origin. The general nature and impact of XSS are described in standard templates for XSS vulnerabilities.

Technical Details

The Recivers.php file contains multiple places where $_GET['id'] is echoed directly into element id attributes. The relevant code excerpt is:

<div id = "box_2">
<p><div id="box_1" class="head">Signal values at <span id="callsign<?php echo $_GET['id']?>">repeater</span>
<span id="freq<?php echo $_GET['id']?>"></span><span style="float:right;"><span id="tx<?php echo $_GET['id']?>"><img src="/icons/ball.red.png"></span><span id="stream<?php echo $_GET['id']?>"></span></span></div>
<p>
<tr><th>Receiver</th><th>Sql</th><th>Signal</th><th>Bargraph</th></tr>
<tr id="sigtab<?php echo $_GET['id']?>"><td colspan="4">This page requires Javascript and a modern browser.</td></tr>
</table>

Intended behavior: The endpoint is intended to use a numeric or simple identifier as part of DOM element IDs so that client-side JavaScript can reference elements by predictable IDs (for e.g., updating signal values dynamically). Actual behavior: Untrusted input is echoed verbatim into the HTML. Because the input is embedded inside double quotes of id="...", an attacker can supply a value containing a double-quote and additional markup or event handlers, causing immediate script execution when the element is parsed or interacted with.

Mechanism that allows exploitation: absence of output encoding and insufficient input validation. The server does not normalize or whitelist allowed characters for IDs, nor does it apply HTML attribute encoding before output. Browsers will parse attribute-breaking payloads and execute injected event handlers or script tags introduced through injected DOM.

Backend weaknesses observed: missing centralized output-encoding library or template escaping policy, lack of input canonicalization for parameters that are reflected into the DOM, and no use of a safe ID generation helper. There is also no Content-Security-Policy in place to mitigate exploitation by disallowing inline script execution.

Steps to Reproduce

1. As an unauthenticated attacker, craft a URL that injects an attribute-breaking payload into id. Example payload for manual testing (raw, illustrative):

/Recivers.php?id=" onmouseover="alert(1)

2. URL-encoded PoC to use in a browser:

/Recivers.php?id=%22%20onmouseover%3D%22alert(1)
Send the request (open the URL in a browser or force a victim to visit it).

3. Hover the element that received the injected onmouseover handler, or otherwise cause the injected event to fire.

4. Observe the JavaScript alert(1) executing in the context of the vulnerable site. In real attacks, an attacker would replace alert(1) with exfiltration logic to send cookies or tokens to an attacker-controlled endpoint.

Impact

This vulnerability allows remote attackers to execute arbitrary JavaScript in the security context of the vulnerable site for any user who opens the crafted URL. Realistic attacker outcomes include, but are not limited to:

• Steal session cookies or authentication tokens and impersonate users.
• Perform actions on behalf of the victim (CSRF-like behavior) if the site uses cookies for authentication.

https://vulnerable.example/Recivers.php?id=%22%20onmouseover%3D%22alert(1)


References

• OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet.
• OWASP Top 10 — A03:2021 (Injection / XSS-related guidance).