Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Valid

Reported on

Sep 6th 2021


✍️ Description

Accept Bitcoin payments. Free, open-source & self-hosted, Bitcoin payment processor this package is vulnerable for xss

🕵️‍♂️ Proof of Concept

💥 Impact

This vulnerability is capable of xss

Abdul muhaimin
3 months ago

Researcher


@admin already tried to connect them

We have contacted a member of the btcpayserver team and are waiting to hear back 3 months ago
Nicolas Dorier validated this vulnerability 3 months ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Dorier
3 months ago

Maintainer


Investigating on https://github.com/btcpayserver/btcpayserver/issues/2856

Nicolas Dorier
3 months ago

Maintainer


Addressed by https://github.com/btcpayserver/btcpayserver/pull/2863

Nicolas Dorier confirmed that a fix has been merged on fc4e47 3 months ago
Nicolas Dorier has been awarded the fix bounty
Jamie Slome
2 months ago

Admin


@nicolasdorier - the researcher has requested a CVE for this.

Are you happy for a CVE to be assigned to this report? 📦

Nicolas Dorier
2 months ago

Maintainer


sure

Jamie Slome
2 months ago

Admin


CVE published! 🎊

CVE-2021-3830

Jamie Slome
2 months ago

Admin


https://github.com/CVEProject/cvelist/pull/2990