Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq


Reported on

Jan 14th 2022


When creating a link using the editor function, the Stored XSS vulnerability occurs because a javascript scheme can be used.

Proof of Concept

1. Go to campaigns -> Mailing Campaigns -> Editor
2. Enter the URL: javascript:alert(document.domain)
3. After, Click the URL

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the chaskiq team within 24 hours. a year ago
Miguel Michelson Martinez validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


I've released a fix on this blocking the input that makes it possible to insert the XSS on the hiperlinks

Miguel Michelson Martinez marked this as fixed in b7f5950 with commit b7f595 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation