Cross-site Scripting (XSS) in spiral-project/ihatemoney
Jul 15th 2022
ihatemoney is vulnerable to Cross-Site Scripting (XSS) when inviting people via email.
Steps to reproduce
https://ihatemoney.org/ and try out the demo.
2.In the bottom left, click on Invite people.
3.In the Send via Emails section, input the payload:
<img src=x onerror=alert(document.domain)> into the People to notify field.
4.Click the Send the invitations button and you will see that a pop-up will display.
This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.
Hi @maintainer, Why the CSRF on logout vulnerability has the severity of 8.8 (High) while the XSS vulnerability in my report is only marked with the severity of 4.4 (Medium)?
Can you explain how you calculate the CVSS score for this report? It is a bit unfair here.
You can see the CSRF on logout vulnerability in these report:
The severity of them are informational or low, but in your previous report, you still accepted it with High severity.
If so, why my report with the XSS vulnerability is only Medium (4.4)? I will be very happy if I know the reason for it. Many thanks!