Gotohttp
Monthly
Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.
Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.