Cross-site Scripting (XSS) - Stored in nuxsmin/syspass


Reported on

May 31st 2022


Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding.

Proof of Concept

1.Access demo website and login with an account.

2.Create new account, in URL/IP field -> input" onclick="alert(document.domain) -> payload will escape from href and title attribute -> Set permission to public for all account

3.Save account -> anyother accounts try to access the URL/IP asssigned to that account -> an alert box will pop up.




1.Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

2.Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a month ago
dungtuanha modified the report
a month ago
dungtuanha modified the report
a month ago
dungtuanha modified the report
a month ago
We have contacted a member of the nuxsmin/syspass team and are waiting to hear back 25 days ago
We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. 22 days ago
nuxsmin/syspass maintainer has acknowledged this report 22 days ago
nuxsmin gave praise 22 days ago
Many thanks for your contribution!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
nuxsmin modified the Severity from Critical (9) to Medium (4.8) 22 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
nuxsmin validated this vulnerability 22 days ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nuxsmin confirmed that a fix has been merged on 4da4d0 22 days ago
The fix bounty has been dropped has been validated
14 days ago

Hi, your demo website ( is always vulnerable to this issue.

to join this conversation