Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver


Reported on

Sep 6th 2021

✍️ Description

stored xss bug via link in store

🕵️‍♂️ Proof of Concept

1. goto and create a store .
2. Now open that store using url and change website link to javascript:alert(document.domain) .
3. Now goto and click that link and see xss is executed


💥 Impact

Stored xss bug allow to execute arbitary javascript code in victim account .
I see you can add many user to your store . So , using this bug you invite victim to your store and then performe xss attack against him

We have contacted a member of the btcpayserver team and are waiting to hear back 2 years ago
2 years ago


sorry, file location may be incorrect

Nicolas Dorier validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Dorier
2 years ago

Fixed by

Nicolas Dorier marked this as fixed with commit 7f4069 2 years ago
Nicolas Dorier has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation