Cross-site Scripting (XSS) - Stored in siwapp/siwapp


Reported on

Oct 11th 2021


Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Proof of Concept


injection point Invoicing address "><img src=x onerror=confirm(1)>


Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the siwapp team and are waiting to hear back a year ago
siwapp/siwapp maintainer validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
siwapp/siwapp maintainer confirmed that a fix has been merged on 924d16 a year ago
The fix bounty has been dropped
create_spec.rb#L1-L27 has been validated
to join this conversation