Cross-site Scripting (XSS) - Reflected in emoncms/emoncms


Reported on

Dec 6th 2021


EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities:

1 - one that is executed when a user tries to generate a new app whose name contains javascript code. The vulnerability leverages the default option of display_errors within the process_settings.php file which produce unsanitized error messages.

2 - one that is executed when javascript code is injected within http headers (User-Agent, Accept-Language).

Proof of Concept A (via errors)

1 - login into the app and go to Apps > New and select one of the categories

2 - Rename the app as <script>alert()</script>

3 - Click create

An attacker can craft a link like this and send it to an authenticated user.


To check if it was an issue due to my local instance I also tried on the instance available to the public at The test confirmed that the vulnerability exists in the default configuration.

POC public instance

Proof of Concept B (http headers)

1 - login into the app as admin and go to

2 - modify the User-Agent or Accept-Language headers of http requests sent to the above URL. For example using <script>alert()</script>

3 - The javascript code will be executed when the above url will be visited.

Example of a request

GET /admin/info HTTP/1.1
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: <script>alert(2)</script>
Accept-Encoding: gzip, deflate
Connection: close
Cookie: EMONCMS_SESSID=sf2g647cjgji47bok647nbd4b9
Upgrade-Insecure-Requests: 1


An attacker can execute arbitrary javascript code within the session of a user/admin.

We are processing your report and will contact the emoncms team within 24 hours. 2 months ago
midist0xf modified their report
2 months ago
We have contacted a member of the emoncms team and are waiting to hear back 2 months ago
We have sent a follow up to the emoncms team. We will try again in 7 days. 2 months ago
Trystan Lea validated this vulnerability a month ago
midist0xf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Trystan Lea confirmed that a fix has been merged on 1be633 a month ago
The fix bounty has been dropped
Trystan Lea
a month ago


Thanks for this midist0xf, Im a little confused on the proposed solution to this one, is the first part of the issue not the emoncms app module is allowing the <script>alert()</script> code to appear unfiltered in the URL?

The name is filtered on the server side and the app is not created if it was given such a name. I've made a small modification to the app module to filter this on the javascript side as well here:

a month ago


Hi Trystan in the first occurrence of the vulnerability, from what I've seen, the issue was present due to the fact that by default display_errors option within process_settings.php file is enabled. As a consequence the application produces unsanitized error messages. In this particular case the malicious name of the app (<script>alert()</script>)was reflected in the error message. I tried to disable display_errors and I couldn't reproduce the xss.