Html Injection in Groups in alfio-event/


Reported on

Dec 7th 2022


Insert XSS payload in groups fields(Name, Description)

Proof of Concept

  1. login to the dashboard

  2. navigate to groups

  3. insert Name and Description

aaaaa<h1 onclick=alert(1)>test



Phishing or Response Manipulation

We are processing your report and will contact the alfio-event/ team within 24 hours. 4 months ago
Sylvain Jermini validated this vulnerability 3 months ago

hi @reza.duty you are right, the html should not be interpreted in the notification widget.

A fix is pending.

To be noted, Content-Security-Policy is blocking the js code =).

Thank you for reporting it, we appreciate it.

reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
3 months ago


Thanks, Can you please request for cve

Celestino Bellone marked this as fixed in 2.0-M4-2301 with commit c1ae54 2 months ago
Celestino Bellone has been awarded the fix bounty
This vulnerability has been assigned a CVE
Celestino Bellone published this vulnerability 2 months ago
to join this conversation