Cross-site Scripting (XSS) - Stored in mineweb/minewebcms


Reported on

Sep 15th 2021


A malicious actor is able to add new Notification with a malicious payload, and upon the user receives the notification, the malicious payload is being executed.

Proof of Concept

  • 1; Log in with any user, who is able to submit notifications

  • 2; Create a new notification at /admin/notifications

  • 3; Insert the following payload in the Contents field: <script>alert(document.cookie)</script>

  • 4; Send the notification to a specific, or all of the users, and upon they are log in to the site, the xss payload is being executed.


With such opprotunity, the malicious actor is able to gather session identifiers from any users. Upon receiving this information, the Confidentiality, is compromised of the target's account. In this case, the issue is high, since all the users can be attacked with one execution, because the notification can be sent for all of them.

nivcoo validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo marked this as fixed in 1.15.1 with commit e45797 a year ago
nivcoo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation