Cross-site Scripting (XSS) in spiral-project/ihatemoney


Reported on

Jul 15th 2022


ihatemoney is vulnerable to Cross-Site Scripting (XSS) when inviting people via email.

Steps to reproduce

1.Go to and try out the demo.
2.In the bottom left, click on Invite people.
3.In the Send via Emails section, input the payload: <img src=x onerror=alert(document.domain)> into the People to notify field.
4.Click the Send the invitations button and you will see that a pop-up will display.


This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 10 months ago
We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 10 months ago
spiral-project/ihatemoney maintainer modified the Severity from High (7.3) to Medium (4.4) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
spiral-project/ihatemoney maintainer validated this vulnerability 10 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
spiral-project/ihatemoney maintainer marked this as fixed in 5.2.1 with commit 667b65 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated
10 months ago


Hi @maintainer, Why the CSRF on logout vulnerability has the severity of 8.8 (High) while the XSS vulnerability in my report is only marked with the severity of 4.4 (Medium)?

10 months ago


Can you explain how you calculate the CVSS score for this report? It is a bit unfair here.
You can see the CSRF on logout vulnerability in these report: and
The severity of them are informational or low, but in your previous report, you still accepted it with High severity.
If so, why my report with the XSS vulnerability is only Medium (4.4)? I will be very happy if I know the reason for it. Many thanks!

to join this conversation