XSS via Client Side Template Injection in btcpayserver/btcpayserver

Valid

Reported on

Mar 6th 2023

Description

Hi Team!

First, when creating an app and in the "display title" if you change it to {{7'*7}}, and you get it, you can see your name become 49.

I think it might be a remote code execution vulnerability via server side template injection, but there is a length limit :(

By changing Display Title to {{alert(document.location)}} it is possible to trigger XSS.

Proof of Concept

Alt Text

Impact

Execution of malicious code, Theft of confidential data , Compromise of the website,Disclosure of confidential information,Additional security vulnerabilities.

We are processing your report and will contact the btcpayserver team within 24 hours. 25 days ago
We have contacted a member of the btcpayserver team and are waiting to hear back 24 days ago
Nicolas Dorier validated this vulnerability 24 days ago
Dan Barros has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nicolas Dorier gave praise 24 days ago
Thanks for this, this is a pretty big one. We are working on it.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Dan Barros
24 days ago

Researcher

Thanks Nicolas, is this find eligible for bounty and cve? Greetings

Nicolas Dorier
24 days ago

Maintainer

https://github.com/btcpayserver/btcpayserver/pull/4747

Nicolas Dorier marked this as fixed in 1.8.3 with commit 7b5ce8 23 days ago
Nicolas Dorier has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nicolas Dorier published this vulnerability 23 days ago
Nicolas Dorier
23 days ago

Maintainer

Should be fixed on https://mainnet.demo.btcpayserver.org/apps/3iyZm7qqnKojRxwQW94XWJZkYNXS/crowdfund

to join this conversation