parse_str() function is used without second param so variables are set in current scope.
Using this we can override previously defined variables, in this case
$messageArray which is later displayed using
Content-Type: application/json is not set, we have XSS.
Proof of Concept:
This issue exists in few places, for example:
- 15-01-2016: Discovered
- 15-01-2016: Vendor notified
- 16-01-2016: Version 3.2.0 released, issue resolved