Cross-site scripting and open redirect vulnerability on Rock RMS Login Page in sparkdevnetwork/rock


Reported on

May 12th 2022


The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that is then executed after the user successfully logs in using the link. In addition, an attacker can redirect the user to any URL that they desire, by setting the returnUrl parameter to a malicious URL.

Proof of Concept

To demonstrate the XSS vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials:

An alert box should be displayed, demonstrating that a malicious JS payload is executed.

To demonstrate the open redirect vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials:

You should be redirected to, rather than the appropriate Rock RMS dashboard page.


It is possible to force a user to perform actions on their behalf, deface the website, or redirect the user to a malicious website. An attacker can also try to steal the user's credentials by redirecting them to a website that the attacker has hosted, that appears to be the Rock login page, and then capturing their credentials, or the attacker can steal the credentials directly from the legitimate Rock website if the session cookie/token is not appropriately protected.

We are processing your report and will contact the sparkdevnetwork/rock team within 24 hours. 2 years ago
Jordan Sherman modified the report
2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the sparkdevnetwork/rock team and are waiting to hear back 2 years ago
sparkdevnetwork/rock maintainer has acknowledged this report 2 years ago
sparkdevnetwork/rock maintainer validated this vulnerability 2 years ago
Jordan Sherman has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
sparkdevnetwork/rock maintainer marked this as fixed in 1.13.4 with commit 2d55a2 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
sparkdevnetwork/rock maintainer gave praise 2 years ago
Thank you. There were two spots that we fixed with two different commits, but the system only let me enter one. The other was [5510037](
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Jordan Sherman
2 years ago


Thanks @maintainer. Should we assign a CVE to this? @admin

Jamie Slome
2 years ago


Happy to assign a CVE if the maintainer is 👍

to join this conversation