Cross-site Scripting (XSS) - Reflected in pkp/omp


Reported on

Oct 10th 2021

✍️ Description

i was able to perform a Reflected XSS against your website/repository. The Reflected XSS vulnerability occurs when the data provided by the attacker is not sanitized by the server, and then reflected "normal" pages returned to other users in the course of regular browsing.

Proof of Concept

Check this video for POC: Video


This can allow attackers to execute arbitrary JavaScript code in different contexts for different purposes (eg: a malicious attacker could potentially steal the victim's session cookies and completely takeover their accounts).

We have contacted a member of the pkp/omp team and are waiting to hear back a year ago
Alec Smecher validated this vulnerability a year ago
0x7zed has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
a year ago


Alec Smecher marked this as fixed with commit fb419c a year ago
Alec Smecher has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation