Cross-site Scripting (XSS) - Stored in cyrisxd/love-lock-card


Reported on

Jan 15th 2022


Currenty, adding a "+ to the password, or a DOM element to the title, you can inject scripts into HA. I know that this library is meant to be not-secure by design, as stated in the README, and that if someone can update the Lovelance dashboard he can probably execute JS code in other ways, but I think that we can easily fix this.

Proof of Concept

// PoC title
// Scripts in title will be executed on card load
title: 'Title<img hidden src=x onerror="alert(document.location.href)"></img>'

// PoC password
// Scripts in password will be executed after password submittion
password: '"+alert(document.location.href)+"'


A user that can edit Lovelance configuration can inject JS scripts for every user.

We are processing your report and will contact the cyrisxd/love-lock-card team within 24 hours. a year ago
Matteo Gheza submitted a
a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the cyrisxd/love-lock-card team and are waiting to hear back a year ago
cyrisxd validated this vulnerability a year ago
Matteo Gheza has been awarded the disclosure bounty
The fix bounty is now up for grabs
cyrisxd marked this as fixed in 1.1 with commit c82e15 a year ago
Matteo Gheza has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation