I can't reproduce, can you give me the URL of an app with the injection?

It triggered during the rendering time of the payload, I will provide a POC video, that's why i have provided it as a reflected XSS

https://drive.google.com/file/d/1ghmdDK8auLVdg8nX_mAR_4LOYYRJixQH/view?usp=sharing

POC Video

i think its stored low level issue

thanks, but I do not need, just that you copy/paste the url here.

Or can you just create a new user, repro the bug and just give me the login/password?

https://mainnet.demo.btcpayserver.org/apps/4Mbmqj7aSgxw63Ej2okwzFioBvC3/settings/pos

• click the edit button of green tea
• try editing Buy Button Text

login /cred : beefee.pwn@gmail.com :password@1234

Doesn't work for me, I use brave browser. Can you inject the javascript in the app so that when I open

https://mainnet.demo.btcpayserver.org/apps/4Mbmqj7aSgxw63Ej2okwzFioBvC3/pos

I can see an alert popup?

sir, I think it is reflected XSS that's the reason why you were not able to see the payload; can you please check the POC video it just takes only 20 seconds; Thanks for your continuous response.

Hi Ajmal, the backend validation prevents that scenario from saving and only you as the editor are seeing the JS execution.

If we can repro the bug he is showing, we need to fix it, this is a vulnerability.

While the editor may execute javascript, when it is saved and page reloaded, the javascript should not execute anymore.

I saw the video, I tried to reproduce exactly the same steps and can't replicate it. Which browser do you use?

I tried both with firefox and brave, coudn't reproduce. Can you copy/paste the "raw editor" after you managed to replicate it? Maybe if I copy this, I can replicate

then I will provide you, my raw editor data :

green tea:
  price: 1
  title: Green Tea
  description: "Lovely, fresh and tender, Meng Ding Gan Lu ('sweet dew') is grown in the lush Meng Ding Mountains of the southwestern province of Sichuan where it has been cultivated for over a thousand years."
  image: ~/img/pos-sample/green-tea.jpg
  custom: false
  buyButtonText: "><img src=x onerror=alert(225552) ~2F>

black tea:
  price: 1
  title: Black Tea
  description: "Tian Jian Tian Jian means 'heavenly tippy tea' in Chinese, and it describes the finest grade of dark tea. Our Tian Jian dark tea is from Hunan province which is famous for making some of the best dark teas available."
  image: ~/img/pos-sample/black-tea.jpg
  custom: false

rooibos:
  price: 1.2
  title: Rooibos
  description: "Rooibos is a dramatic red tea made from a South African herb that contains polyphenols and flavonoids. Often called 'African redbush tea', Rooibos herbal tea delights the senses and delivers potential health benefits with each caffeine-free sip."
  image: ~/img/pos-sample/rooibos.jpg
  custom: false

pu erh:
  price: 2
  title: Pu Erh
  description: "This loose pur-erh tea is produced in Yunnan Province, China. The process in a relatively high humidity environment has mellowed the elemental character of the tea when compared to young Pu-erh."
  image: ~/img/pos-sample/pu-erh.jpg
  custom: false

herbal tea:
  price: 1.8
  title: Herbal Tea
  description: "Chamomile tea is made from the flower heads of the chamomile plant. The medicinal use of chamomile dates back to the ancient Egyptians, Romans and Greeks. Pay us what you want!"
  image: ~/img/pos-sample/herbal-tea.jpg
  custom: true

fruit tea:
  price: 1.5
  title: Fruit Tea
  description: "The Tibetan Himalayas, the land is majestic and beautiful—a spiritual place where, despite the perilous environment, many journey seeking enlightenment. Pay us what you want!"
  image: ~/img/pos-sample/fruit-tea.jpg
  inventory: 5
  custom: true

i was tested this one in firefox, brave, and chromium.

Thank you for this, I could finally reproduce!

Tracking progress https://github.com/btcpayserver/btcpayserver/issues/2856

❤️️

Fixed by https://github.com/btcpayserver/btcpayserver/pull/2863

CVE published!