Stored XSS in profile settings. in namelessmc/nameless

Valid

Reported on

Jul 2nd 2022

Description

Stored XSS via "Website" box in Profile Settings.

Proof of Concept

Go to profile settings, put the following payload in the "website" box :

google.com"><img src=x onerror=alert(document.domain)>

Save, and see the xss triggered !

Impact

Stored XSS, execute javascript code on client side.

We are processing your report and will contact the namelessmc/nameless team within 24 hours. a year ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
Sam modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Sam validated this vulnerability a year ago

Thank you - marking this as low as it should never be run for anyone but the malicious user

jhond0e has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sam marked this as fixed in 2.0.0 with commit 3b3efa a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation