Multiple cross site scripting vulnerabilities in Seo Panel 4.8.0

[sendtogeo]

Hello,

I am a security researcher at the University of Illinois at Chicago. During my analysis of some PHP applications, I came across Seo Panel and found several cross-site scripting vulnerabilities. The details to reproduce them are below:

Multiple cross-site scripting vulnerabilities are present in Seo Panel 4.8.0. The following is detailed information about these vulnerabilities:

file: backlinks.php
line: 82
parameter: to_time and from_time
exploit: http://localhost/Seo-Panel/backlinks.php?fromPopUp=1&from_time=2021-03-02&rep=1&sec=reports&to_time=2021-03-17%22autofocus%20onfocus=alert(1)%20//%22&website_id=1

Similar vulnerabilities are found in other PHP files through from_time and to_time such as analytics.php, log.php, overview.php, pagespeed.php, etc.

file: analytics.php
line: 45
parameter: order_col
exploit: http://localhost/Seo-Panel/analytics.php?from_time=2021-03-18&order_col=url%22autofocus%20onfocus=alert(1)%20//%22&order_val=DESC&report_type=1&search_name=&sec=viewAnalyticsSummary&to_time=2021-03-19&type=&website_id=http://www.example.com

Similar vulnerabilities are found in other PHP files through order_col such as analytics.php, review.php, social_media.php, and webmaster-tools.php. The are other similar vulnerabilities through other parameters such as pageno which is found in alerts.php, log.php, keywords.php, proxy.php, searchengine.php, and siteauditor.php.

To prevent these exploits, I would suggest using filtering functions (e.g., htmlspecialchars).

[sendtogeo]

Thanks to @ahmad Alawi for reporting it.