Hello,
1. Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF protection).
Method: GET
Vulnerable parameters: logname
Example PHP callstack:
/duplicator/views/tools/logging.php:158
Verification:
--
Regards,
Marcin Probola,