categoly Cross-site Scripting (XSS) - Stored in nuxsmin/syspass


Reported on

May 21st 2022


The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

  1. Create new user,add category and add XSS payload(" onClick="alert(1)")
  2. Search user.
  3. Click Client tab.
  4. xss is executed.

Please check this video.


Every user clicking the menu can be affected by malicious javascript code created by the attacker.

Overall, " characters are not escaped. XSS may occur in other areas.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the nuxsmin/syspass team and are waiting to hear back a year ago
nuxsmin gave praise a year ago
Hi!, thanks for the notice. It seems that some values aren't being processed for a clean output within HTML tag's attributes. I'm currently working on a fix to be released shortly. Regards
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago
nuxsmin validated this vulnerability a year ago
Nick has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nuxsmin marked this as fixed in 3.2.4 with commit 3c026f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
9 months ago


@admin can you pls assign a CVE for this?

Jamie Slome
9 months ago


Happy to, we just require the go-ahead from the maintainer 👍

9 months ago


@maintainer , I would be glad if you could approve for CVE.

to join this conversation