Cross-site Scripting (XSS) - Reflected in emoncms/emoncms
Dec 6th 2021
EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities:
display_errors within the
process_settings.php file which produce unsanitized error messages.
Proof of Concept A (via errors)
1 - login into the app and go to Apps > New and select one of the categories
2 - Rename the app as
3 - Click create
An attacker can craft a link like this
http://target.com/app/view?name=%3Cscript%3Ealert%28%29%3C/script%3E and send it to an authenticated user.
To check if it was an issue due to my local instance I also tried on the instance available to the public at
The test confirmed that the vulnerability exists in the default configuration.
POC public instance
Proof of Concept B (http headers)
1 - login into the app as admin and go to
2 - modify the
Accept-Language headers of http requests sent to the above URL. For example using
Example of a request
GET /admin/info Host: 127.0.0.1 User-Agent: <script>alert(1)</script> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: <script>alert(2)</script> Accept-Encoding: gzip, deflate Connection: close Cookie: EMONCMS_SESSID=sf2g647cjgji47bok647nbd4b9 Upgrade-Insecure-Requests: 1