Stored Cross Site Scripting in the username in wallabag/wallabag


Reported on

Feb 2nd 2023


Stored XSS occurs when an attacker injects malicious code into a website, which is then stored on the server. In this case, the malicious code is being stored as the user's username.

When someone accesses the shared page, the website retrieves the user's username from the server and displays it as part of the message "shared by". At this point, the XSS payload is executed.

Proof of Concept

Proof of Concept Video


Allows the attacker to execute malicious code on the victim's browser. This can potentially lead to a wide range of security problems, such as stealing sensitive information, hijacking user sessions, and more.

We are processing your report and will contact the wallabag team within 24 hours. a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
wallabag/wallabag maintainer has acknowledged this report a year ago
Jérémy Benoist validated this vulnerability a year ago
gabriel-vernilo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jérémy Benoist marked this as fixed in 2.5.4 with commit 4e023b a year ago
Jérémy Benoist has been awarded the fix bounty
This vulnerability has now been published a year ago
wallabag/wallabag maintainer gave praise a year ago
Thank you @gabriel-vernilo !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Gabriel Vernilo
a year ago


Thanks 😁❤

to join this conversation