Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Valid

Reported on

Sep 6th 2021

✍️ Description

stored xss bug via link in store

🕵️‍♂️ Proof of Concept

1. goto https://mainnet.demo.btcpayserver.org/stores and create a store .
2. Now open that store using url https://mainnet.demo.btcpayserver.org/stores/BuBNcrh8vpu4sMcTikqXoP5pXU49hvoFDyqAoA46Tns2 and change website link to javascript:alert(document.domain) .
3. Now goto https://mainnet.demo.btcpayserver.org/stores and click that link and see xss is executed

VIDEO

https://drive.google.com/file/d/1EBFvjw2iOmDnsXOBy-zRxwTtMNLHJ_eh/view?usp=sharing

💥 Impact

Stored xss bug allow to execute arbitary javascript code in victim account .
I see you can add many user to your store . So , using this bug you invite victim to your store and then performe xss attack against him

We have contacted a member of the btcpayserver team and are waiting to hear back 2 years ago
ranjit-git
2 years ago

Researcher

sorry, file location may be incorrect

Nicolas Dorier validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Dorier
2 years ago

Fixed by https://github.com/btcpayserver/btcpayserver/commit/7f40698bba675a3dfbda6584de84d6f3ff68443a

Nicolas Dorier marked this as fixed with commit 7f4069 2 years ago
Nicolas Dorier has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation