Cross-site Scripting (XSS) - Reflected in openwhyd/openwhyd


Reported on

Dec 13th 2021


openwhyd is vulnerable to Reflected XSS vulnerability via the redirect parameter at login page.



Vulnerable URL<script>alert(document.cookie)</script>

Proof of Concept

Send users the following login link<script>alert(document.cookie)</script>
After users use their registered account to log in, they will be triggered by the XSS popup.


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the openwhyd team within 24 hours. a month ago
We have contacted a member of the openwhyd team and are waiting to hear back a month ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. a month ago
Adrien Joly validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly confirmed that a fix has been merged on 102a97 22 days ago
Adrien Joly has been awarded the fix bounty