Cross-site Scripting (XSS) - Reflected in universaloj/uoj-system


Reported on

Sep 9th 2021

✍️ Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

The user input URL path REQUEST_URI of reset_pw.php is unsanitized resulting reflected cross site scripting.


Apply context-dependent encoding and/or validation to user input rendered on a page

We have contacted a member of the universaloj/uoj-system team and are waiting to hear back 14 days ago
billchenchina validated this vulnerability 14 days ago
wtwver has been awarded the disclosure bounty
The fix bounty is now up for grabs
billchenchina confirmed that a fix has been merged on e357d1 14 days ago
billchenchina has been awarded the fix bounty
14 days ago


Hi, the fix json_encode() is a JS function which can be bypassed with a ) at the beginning of the payload

The untrusted input handle shd be done with php function. Thanks

14 days ago


Sorry this is updated.

Hi, the fix json_encode() is a PHP function which is not located in php <??>

The untrusted input handle shd be done in side the <??> php boundry. Thanks

14 days ago


Hi, json_encode is a PHP function. The fix has a syntax error so I've done another commit to fix that.