Cross-site Scripting (XSS) - Reflected in area17/twill


Reported on

Sep 14th 2021


The Application is vulnerable to reflected cross-site scripting attack.

URL: /contact/offices/ Parameter: offset

Proof of Concept

Open the following URL in the browser for POC.[]=bulk&filter={%22status%22:%22published%22}&offset=alert(1)&page=1&sortDir=asc&sortKey=

The provided Javascript will get executed in the browser, showing an alert.


The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.

We created a GitHub Issue asking the maintainers to create a 2 years ago
2 years ago

Hey Melbin, I’ve emailed the maintainers for you.

We have contacted a member of the area17/twill team and are waiting to hear back 2 years ago
area17/twill maintainer
2 years ago


Hi there, thank you for reporting this. We are actively looking into preventing it. For additional context, this software is 99,99% of the time running behind user authentication (with the possibility to enable 2FA). That said, the demo instance is not, and if an attacker were to know internal urls and parameters, they could still target authenticated users, which I believe is what you are reporting. I will let you know as soon as a fix can be applied and released.

area17/twill maintainer
2 years ago


@melbinkm @zidingz the issue has been hot-fixed on the demo site and we are about to release Twill 1.2.4 and Twill 2.5.2 with that fix applied.

2 years ago


Thanks! Can you mark the issue valid and fixed?

Quentin Renard validated this vulnerability 2 years ago
melbinkm has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick Boivin marked this as fixed with commit 2dd77b 2 years ago
Patrick Boivin has been awarded the fix bounty
to join this conversation