This writeup describes multiple vulnerabilities in ArrowChat <= 1.5.61, including a Local File Inclusion (LFI) via nullbyte injection and a reflected XSS in the admin layout. It provides technical details, proof-of-concept examples, and mitigation suggestions.
Classification
Writeup 90%
Attack Type
Lfi | Xss
Complexity
Trivial
Reliability
Reliable
Target:ArrowChat <= 1.5.61
No auth needed
Prerequisites:Access to the target web application