Multiple Stored XSS Found in fobybus/social-media-skeleton


Reported on

Aug 5th 2023


Stored XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

Proof of Concept

  1. Register New User
  2. Enter the following XSS Payload for First Name, Last Name, and City input fields:
// PoC.js
  1. Login with user
  2. Once logged in you will see alert boxes for First Name and Last Name
  3. Navigate to Profile Page, you will see alert boxes for First Name, Last Name, and City


  1. XSS Payloads in Fields
  2. XSS Executed First Name
  3. XSS Executed Last Name
  4. XSS Executed City


An attacker can inject JavaScript on a victims browser that could lead to stealing cookies in addition to installing JavaScript malware, keyloggers and performing remote actions.

We are processing your report and will contact the fobybus/social-media-skeleton team within 24 hours. 2 months ago
M0ck3d submitted a
2 months ago
M0ck3d modified the report
2 months ago
fobybus gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
fobybus/social-media-skeleton maintainer has acknowledged this report a month ago
fobybus validated this vulnerability a month ago
M0ck3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a month ago


@fobybus @maintainer Thanks for validating ! When you have a chance please review the fix / patch I attached, let me know if / when to put in the pull request. Additionally, once the fix has been applied, if you could assign a CVE I would greatly appreciate it. Thank you kindly!

fobybus marked this as fixed in 1.0.3 with commit 6765d1 a month ago
M0ck3d has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
a month ago


@fobybus @maintainer Just wanted to know why no CVE ? Or will you wait till after it goes public to assign a CVE ?

a month ago


@admin There was CVE applied to this issue (registered through Github). Would it be possible to add it to this report ?

fobybus published this vulnerability a month ago
Ben Harvie
a month ago



fobybus published this vulnerability 23 days ago
to join this conversation