Cross-site Scripting (XSS) - Reflected in openwhyd/openwhyd


Reported on

Dec 13th 2021


openwhyd is vulnerable to Reflected XSS vulnerability via the redirect parameter at login page.



Vulnerable URL<script>alert(document.cookie)</script>

Proof of Concept

Send users the following login link<script>alert(document.cookie)</script>
After users use their registered account to log in, they will be triggered by the XSS popup.


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the openwhyd team within 24 hours. 2 years ago
We have contacted a member of the openwhyd team and are waiting to hear back 2 years ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. 2 years ago
Adrien Joly validated this vulnerability 2 years ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly marked this as fixed in 1.45.12 with commit 102a97 2 years ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation