Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Valid

Reported on

Sep 6th 2021


✍️ Description

stored xss bug via link in store

🕵️‍♂️ Proof of Concept

1. goto https://mainnet.demo.btcpayserver.org/stores and create a store .
2. Now open that store using url https://mainnet.demo.btcpayserver.org/stores/BuBNcrh8vpu4sMcTikqXoP5pXU49hvoFDyqAoA46Tns2 and change website link to javascript:alert(document.domain) .
3. Now goto https://mainnet.demo.btcpayserver.org/stores and click that link and see xss is executed

VIDEO

https://drive.google.com/file/d/1EBFvjw2iOmDnsXOBy-zRxwTtMNLHJ_eh/view?usp=sharing

💥 Impact

Stored xss bug allow to execute arbitary javascript code in victim account .
I see you can add many user to your store . So , using this bug you invite victim to your store and then performe xss attack against him

We have contacted a member of the btcpayserver team and are waiting to hear back 3 months ago
We have contacted a member of the btcpayserver team and are waiting to hear back 3 months ago
We have contacted a member of the btcpayserver team and are waiting to hear back 3 months ago
ranjit-git
3 months ago

Researcher


sorry, file location may be incorrect

Nicolas Dorier validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Dorier
3 months ago

Maintainer


Fixed by https://github.com/btcpayserver/btcpayserver/commit/7f40698bba675a3dfbda6584de84d6f3ff68443a

Nicolas Dorier confirmed that a fix has been merged on 7f4069 3 months ago
Nicolas Dorier has been awarded the fix bounty