Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis


Reported on

May 23rd 2022


The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

  • it works on firefox (not in chromium based browsers)
  • login as admin
  • go to
  • create link with decimal encoding with padded zeros payload
  • &#0000106avascript:alert(1)
  • click the link
  • observe the pop up


Every user clicking the link can be affected by malicious javascript code created by the attacker.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François Jacquet validated this vulnerability a month ago
intrapus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on d9f809 a month ago
François Jacquet has been awarded the fix bounty
Resources.php#L5-L58 has been validated
to join this conversation