Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis


Reported on

Apr 23rd 2022


he software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

  • login as an admin
  • go to
  • paste payload <iframe srcdoc="<svg onload=alert(1);>"> to notes
  • observe alert pop up


Every user visiting the page can be affected by malicious javascript code created by the attacker.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
intrapus modified the report
2 years ago
intrapus modified the report
2 years ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago
François Jacquet validated this vulnerability 2 years ago
intrapus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit 7ded1e 2 years ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
PortalNotes.php#L55-L180 has been validated
to join this conversation