categoly Cross-site Scripting (XSS) - Stored in nuxsmin/syspass


Reported on

May 21st 2022


The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

  1. Create new user,add category and add XSS payload(" onClick="alert(1)")
  2. Search user.
  3. Click Client tab.
  4. xss is executed.

Please check this video.


Every user clicking the menu can be affected by malicious javascript code created by the attacker.

Overall, " characters are not escaped. XSS may occur in other areas.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a a month ago
We have contacted a member of the nuxsmin/syspass team and are waiting to hear back a month ago
nuxsmin gave praise a month ago
Hi!, thanks for the notice. It seems that some values aren't being processed for a clean output within HTML tag's attributes. I'm currently working on a fix to be released shortly. Regards
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a month ago
nuxsmin validated this vulnerability a month ago
Nick has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nuxsmin confirmed that a fix has been merged on 3c026f a month ago
The fix bounty has been dropped
to join this conversation