Stored HTML Injection in btcpayserver/btcpayserver


Reported on

Jan 20th 2023


I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website

*. During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack.

Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

Reproduction Steps:

*. Go to the website

*. Click account.

*. Click manage account.

*. Then move on to the api endpoint.

*. That is

*. Here, create api key with the label as a html payload.

*. Use the following HTML payload in the label field:

<a href="">clickhere</a>

*. Generate the api key.

*. Now, click delete.

*. Check that deleting part rendered the html injection.

*. That's the issue.


*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.


*. A stored HTML injection attack occurs when an attacker injects malicious HTML code into legitimate HTML code of a web application.

*. This vulnerability can lead to various types of attacks, including open redirects, phishing attempts, and browser hijacking.

*. Additionally, an attacker can gain access to the victim's IP address, latitude and longitude, and potentially carry out a camera phishing attack.

*. Overall, a stored HTML injection vulnerability can have severe consequences and it is important to prevent and mitigate this type of attack.

We are processing your report and will contact the btcpayserver team within 24 hours. a year ago
We have contacted a member of the btcpayserver team and are waiting to hear back a year ago
btcpayserver/btcpayserver maintainer has acknowledged this report a year ago
Nicolas Dorier
a year ago


Several part of the code has similar issue, we are working on fixing it

Nicolas Dorier
a year ago


Nicolas Dorier validated this vulnerability a year ago
thewhiteevil has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Manojkumar J
a year ago



Thanks for the update. Can we assign a cve for this finding?

Nicolas Dorier
a year ago


Yes, though it need to be mentioned that CSP prevents script injection, as such the severity is moderate.

Manojkumar J
a year ago


Absolutely, you're spot on. It's important to highlight that CSP effectively blocks JavaScript injection attacks.

Nicolas Dorier marked this as fixed in 1.7.5 with commit 02070d a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Nicolas Dorier gave praise a year ago
Thank you, we can close this one.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Manojkumar J
a year ago


Thanks, accepted for closure.

to join this conversation