Reflected XSS on conversion filter function in beancount/fava


Reported on

Jul 28th 2022


Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.

Proof of Concept

  1. Navigate to Fava demo instance
  2. Filter on conversion type and add payload on the result.
  3. Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.




  1. "><img src=a onerror=alert(document.domain)>

Screenshot POC

  1. xss domain
  2. xss


This vulnerability is capable of executing a malicious javascript code in web page

We are processing your report and will contact the beancount/fava team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the beancount/fava team and are waiting to hear back a year ago
din modified the report
a year ago
beancount/fava maintainer modified the Severity from High (7.6) to Medium (6.9) a year ago
beancount/fava maintainer gave praise a year ago
Thanks for the report :) Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attack to be determined by the attacker, I've marked the attack complexity as "high"
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
beancount/fava maintainer validated this vulnerability a year ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
beancount/fava maintainer marked this as fixed in 1.22.3 with commit 68bbb6 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated
a year ago



to join this conversation