Cross-site Scripting (XSS) - Stored in tsolucio/corebos


Reported on

Nov 28th 2021


coreBOS is vulnerable to Stored XSS via Entity Name in User Preferences.

Steps to reproduce

1.After login, click on the avatar icon on the top right corner to go to My Preferences
2.Click Edit button
3.In Last Name field, input payload <SvG/onLoad=confirm(document.cookie)> then click Save button
4.Now you will see that the payload has been filtered in the Last Name field. However, it is displayed in the Entity Name field.
5.To trigger XSS, click on the Entity Name field then click Save button under that field.
6.Reload the page or go to the homepage, you will see the XSS is triggered.

Proof of Concept

You can check my Poc here: PoC


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 4 days. 2 years ago
Joe Bordes validated this vulnerability 2 years ago
khanhchauminh has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit 1dd461 2 years ago
Joe Bordes has been awarded the fix bounty
2 years ago


Hi @maintainer,

Did you update the fix to the demo site? I have just tested again and the XSS vulnerability still exists.

to join this conversation