Improper Link Input Validation leads to Cross-site Scripting (XSS) in bookwyrm-social/bookwyrm


Reported on

Jul 4th 2022


The link input validation is not filtered protocol javascript of href attribute. It allows attackers to inject malicious links to many fields of the website, such as author introduction, user summary, and book description, ... which could execute javascript code (XSS).

Proof of Concept

Edit a book description or any fields allow link with the following input:

<a href="javascript:alert('Pwned')"> Click here to get FREE access </a>

When a user clicks on the link, the "Pwned" box will pop up.

Link video PoC


According to OWASP:

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirect the user to some other page or site, or modify presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
Mouse Reeve validated this vulnerability a year ago
Khang Vo (doublevkay) has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.1 with commit fe33fd a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Mouse Reeve gave praise a year ago
Thank you for flagging!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation