XSS via Client Side Template Injection in btcpayserver/btcpayserver

Valid

Reported on

Mar 6th 2023


Description

Hi Team!

First, when creating an app and in the "display title" if you change it to {{7'*7}}, and you get it, you can see your name become 49.

I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit :(

By changing Display Title to {{alert(document.location)}} it is possible to trigger XSS.

Proof of Concept

Alt Text

Impact

Execution of malicious code, Theft of confidential data , Compromise of the website,Disclosure of confidential information,Additional security vulnerabilities.

We are processing your report and will contact the btcpayserver team within 24 hours. 2 months ago
We have contacted a member of the btcpayserver team and are waiting to hear back 2 months ago
Nicolas Dorier validated this vulnerability 2 months ago
Dan Barros has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Dorier gave praise 2 months ago
Thanks for this, this is a pretty big one. We are working on it.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Dan Barros
2 months ago

Researcher


Thanks Nicolas, is this find eligible for bounty and cve? Greetings

Nicolas Dorier
2 months ago

Maintainer


https://github.com/btcpayserver/btcpayserver/pull/4747

Nicolas Dorier marked this as fixed in 1.8.3 with commit 7b5ce8 2 months ago
Nicolas Dorier has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nicolas Dorier published this vulnerability 2 months ago
Nicolas Dorier
2 months ago

Maintainer


Should be fixed on https://mainnet.demo.btcpayserver.org/apps/3iyZm7qqnKojRxwQW94XWJZkYNXS/crowdfund

to join this conversation