Cross-site Scripting (XSS) - Stored in galette/galette


Reported on

Nov 7th 2021


Hi, By reviewing your project I've found multiples stored cross-site scripting. From OWASP : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Although it is on the administrator side, it seems interesting to me to correct them. I'm using Galette v0.9.5.2

Proof of Concept

  • User payload : <img src=x onerror=alert(1) />
  1. When adding a user status, the payload is then reflected on the page due to the preview in the edit button

  2. When adding a contribution type, the payload is then reflected on the page due to the preview in the edit button

  3. When adding a title it is reflected directly on the page

  4. When adding a payment type it is reflected directly on the page

  5. In the edition of the description of the association & the footer and also in long text cards

  6. Inside a transaction description


  • Execution of arbitrary JS code on the administrator or user account
We are processing your report and will contact the galette team within 24 hours. a year ago
JoMar modified the report
a year ago
We have contacted a member of the galette team and are waiting to hear back a year ago
galette/galette maintainer validated this vulnerability a year ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johan Cwiklinski marked this as fixed in 0.9.6 with commit 0d55bc a year ago
Johan Cwiklinski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation