Stored HTML Injection inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in btcpayserver/btcpayserver


Reported on

Feb 20th 2023


I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website

*. During my research, I discovered that the five plus fields are vulnerable to a stored HTML injection attack inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in

Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

Reproduction Steps:

*. Go to the website

*. Click payment request.

*. Request new payment.

*. Remember to enable the >>> Request customer data on checkout >>> Request shipping address.

*. Create the payment request.

*. Now click view, we/user need to enter the address and other stuff.

*. Use the following HTML payload in the below fields:









 <html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br /> 
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
 <br /></form></div></body></html>
<input><input"/onmouseover="confirm(1);//“onload=onload><input><innerHTML><img src="" width="1000" height="750" alt="onmouseover=prompt(1);//" /></a></input>

*. Save this information.

*. Now, cancel payment and move on to the payment request and click edit data.

*. Check that request shipping address part were stored and rendered the html injection.

*. That's the issue.

*. Tried both Html/javascript injections, but html injection only worked. Due to your content security policy JS omitted.


*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.


*. Stored HTML injection with credentials capturing can have serious negative impacts on both individuals and organizations.

*. This type of attack involves injecting malicious code into a website's database, which can then be retrieved and displayed to unsuspecting users. If the injected code captures login credentials, it can allow an attacker to gain unauthorized access to sensitive information or even take control of user accounts.

*. The impact of such an attack can be significant, including financial loss, reputational damage, and legal consequences.

*. For individuals, stored HTML injection with credentials capturing can result in identity theft or the compromise of personal and financial information.

*. For organizations, it can lead to the theft of sensitive data, disruption of services, and loss of customer trust.

*. To prevent this type of attack, it is important for website developers to follow secure coding practices and implement security measures such as input validation and encryption.

*. It is also crucial for users to be vigilant and use strong, unique passwords and to never reuse passwords across multiple accounts.

We are processing your report and will contact the btcpayserver team within 24 hours. a month ago
Manojkumar J modified the report
a month ago
Manojkumar J modified the report
a month ago
Manojkumar J modified the report
a month ago
We have contacted a member of the btcpayserver team and are waiting to hear back a month ago
Nicolas Dorier gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Nicolas Dorier validated this vulnerability a month ago
Manojkumar J has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Dorier
a month ago


Manojkumar J
22 days ago


Hi Team,

Hope you are doing well on your end. :)

Upon inspection, it appears that a fix for the HTML injection vulnerability in the payment request forms has been implemented.

And I am pleased to confirm that I am no longer able to reproduce the issue.

I want to express my heartfelt appreciation for your prompt action in fixing the HTML injection vulnerability in our payment request forms. Your quick response and dedication to ensuring the security of our system are truly commendable. Thank you for your hard work and commitment to keeping our system safe and secure.

@maintainer I'm curious about the process for assigning a CVE and what the next steps are regarding the resolution of this issue. Could you provide more information on what needs to be done in order to assign a CVE, and what actions will be taken moving forward to ensure that the vulnerability is fully addressed?


Nicolas Dorier
21 days ago


We released yestersday:

Nicolas Dorier marked this as fixed in 1.8.0 with commit ddb125 21 days ago
Nicolas Dorier has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nicolas Dorier published this vulnerability 21 days ago
Manojkumar J
17 days ago


Appreciated, Cheers!

to join this conversation