Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis


Reported on

Apr 30th 2022


I am able to bypass the fix in the report which caused the XSS vulnerability.
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Step to reproduce

The vulnerability exists on Firefox (not in chromium based browsers).
1.Login to the demo environment by administrator account.
2.In the left menu, go to RESOURCES -> Resources.
3.Add new record with any TITLE and in the LINK field, add this payload javascri	pt:alert(1)
4.Click on SAVE button then click the link, you will see the XSS popup.


This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
a year ago


Hello @khanhchauminh

Thank you for your report. I have no idea how to prevent those new cases easily then. Any recommendations?

a year ago


Hi @maintainer,

I am not good at fixing vulnerabilities however, from my point of view, I think you should use regex to filter those cases. You can search for the string 	, if it exists in the user input, then you can disable the link to that input.

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
a year ago


Thank you for your answer. I have opted for a solution where HTML entities are first decoded. Then, they can be encoded as URL entities, so the payload is now http://[rosariosis_url]/javascri%09pt:alert(1) The fix will come in version 9.0

François Jacquet validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit ba96fa a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation