Cross-site Scripting (XSS) - Stored in jonschoning/espial


Reported on

Sep 27th 2021


Stored XSS in url link

Proof of Concept

// PoC reqest
POST /api/add HTTP/2
Cookie: _SESSION=SilFBialwul9V05BatfVPoUjOf0Klq8Ys0C/kWXvt6o2hKA8gHSKuInA6GCizZLuYIVindIkEq5wUOys/exSV06ByNuR6duw/qBMVA2BMC6evD1k/6RQLCjxm2AXjCJBjEU1jiXW/ZtTBdZyNhwPHI6SK4YClUoiIAfpXuUB+ysShu6Kx+8JCRK2igki/pHI6F/+nXgpt3fGW7Va9/SvIqFNzEtAmIpD0aNupcsEnpp9iG/gkml5J8HT3C0x8JMDRakuS+Em3a+6o9bkbptOS0nU9HVP5lGZsIygZXRB1w1wBE4dqVoXg21VwbARToY8VEbaJZV2CjiBQW8=; XSRF-TOKEN=dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
Content-Type: application/json
Content-Length: 192
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers


The XSS payload will trigger when user clicks the link.


This vulnerability is capable of stored XSS

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 years ago
Jon Schoning validated this vulnerability 2 years ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning marked this as fixed with commit 2d3b3c 2 years ago
Jon Schoning has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation