Cross Site Scripting in Open Web Analytics on most statistics related pages in open-web-analytics/open-web-analytics


Reported on

May 2nd 2023


The makeJson method within the owa_template class generates a JSON string in an unsafe manner. This method is utilized within the report.tpl file, where it receives parameters from the URL and generates a JSON string using them without properly sanitizing.

Proof of Concept

The vulnerability exists in the demo verion, so I'll use that for the proof of concept. I did confirm that the vulnerability exists in the latest master version too.

To reproduce this vulnerability you can simple open the following URL:};alert(1);//

In the above URL the parameter owa_abc has been injected with the value "};alert(1);//. This will popup an alert with the value 1 confirming the vulnerability.

Note that this is just an example URL. This code path is used throughout the application.


There is no CSP policy by default, so it is possible to inject external scripts using this vulnerability. This takes the necessity to put everything in the URL away allowing more complex exploits. It would be possible to call user actions from this, for example reading out data and sending this back to an attackers server, or adding an user account to the system.


This is where the user input gets inserted into the json string, I believe this to be the vulnerable line which should be sanitized.

We are processing your report and will contact the open-web-analytics team within 24 hours. 23 days ago
YouGina modified the report
23 days ago
YouGina submitted a
23 days ago
YouGina modified the report
22 days ago
22 days ago


@admin I sent in a patch myself, am I allowed to do that? If so, can I create a pull request inside github too? I am not the maintainer of this project.

We have contacted a member of the open-web-analytics team and are waiting to hear back 22 days ago
15 days ago


@admin, I see the maintainer solved this issue, what's next?

Ben Harvie
3 days ago


Hi YouGina, if you believe this has been fixed - please provide the fix commit SHA and the fixed version and I can validate this for you manually:)

3 days ago


Hi Ben,

Thank you for your message, the vulnerability has been fixed in the following commit: ffdb082e1eb0f4f519fa9128536d5e35d7780a1e

With kind regards, YouGina

Pavlos validated this vulnerability 3 days ago
YouGina has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in above 1.7.8 with commit ffdb08 3 days ago
YouGina has been awarded the fix bounty
This vulnerability will not receive a CVE
Pavlos published this vulnerability 3 days ago
owa_template.php#L673 has been validated
to join this conversation