Reflected XSS on conversion filter function in beancount/fava


Reported on

Jul 28th 2022


Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.

Proof of Concept

  1. Navigate to Fava demo instance
  2. Filter on conversion type and add payload on the result.
  3. Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.




  1. "><img src=a onerror=alert(document.domain)>

Screenshot POC

  1. xss domain
  2. xss


This vulnerability is capable of executing a malicious javascript code in web page

We are processing your report and will contact the beancount/fava team within 24 hours. 15 days ago
We have contacted a member of the beancount/fava team and are waiting to hear back 14 days ago
din modified the report
13 days ago
beancount/fava maintainer modified the Severity from High (7.6) to Medium (6.9) 13 days ago
beancount/fava maintainer gave praise 13 days ago
Thanks for the report :) Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attack to be determined by the attacker, I've marked the attack complexity as "high"
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
beancount/fava maintainer validated this vulnerability 13 days ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
beancount/fava maintainer confirmed that a fix has been merged on 68bbb6 13 days ago
The fix bounty has been dropped has been validated
13 days ago



to join this conversation