Cross-site Scripting (XSS) - Reflected in btcpayserver/btcpayserver
Sep 6th 2021
XSS payload is triggered during editing and saving text included near the payment button.
🕵️♂️ Proof of Concept
"><img src=x onerror=alert(225552) ~2F>
In the app, settings try editing already included product. drop the payload in the Buy Button Text and save it hence the payload will be triggered.