Stored XSS in application name. in autolab/autolab


Reported on

May 11th 2022


Hi there, there is a stored XSS in Oauth application name.

Proof of Concept

  1. Install a local instance of Autolab.
  2. Go to /oauth/applications and create a new application with name <img src=a onerror=alert(document.cookie)>.
  3. Click on Authorize and see that a pop up appears with user's cookies.

Link to POC


Stored XSS, cookies steal.

We are processing your report and will contact the autolab team within 24 hours. a year ago
We have contacted a member of the autolab team and are waiting to hear back a year ago
Joey Wildman modified the Severity from Critical to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joey Wildman validated this vulnerability a year ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho marked this as fixed in 2.8.0 with commit a0a241 a year ago
Damian Ho has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation