Cross-site Scripting (XSS) - Stored in hestiacp/hestiacp


Reported on

Aug 19th 2023


1. Go to Setting Server ==> Choose Configuare.
2. Continue to choose backup ==>  Remote Backup.
3. Inject the payload into the fields host,port,username...

Proof of Concept

link ProC :


payload = "><img src=x onerror=alert(1)


Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware. Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions. Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage. It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data

We are processing your report and will contact the hestiacp team within 24 hours. 3 months ago
nam-no modified the report
3 months ago
We have contacted a member of the hestiacp team and are waiting to hear back 3 months ago
Jaap Marcus modified the Severity from High (8.8) to Low (3.2) 3 months ago
3 months ago


@maintainer Hi, can you please specify a CVE for this vulnerability. It's necessary for my work

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Jaap Marcus validated this vulnerability 3 months ago
nam-no has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jaap Marcus marked this as fixed in 1.8.6 with commit d30e3e 3 months ago
Jaap Marcus has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 25th 2023
3 months ago


Thank you for responding.

Jaap Marcus published this vulnerability 3 months ago
to join this conversation