Cross-site Scripting (XSS) - Stored in nuxsmin/syspass


Reported on

May 31st 2022


Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding.

Proof of Concept

1.Access demo website and login with an account.

2.Create new account, in URL/IP field -> input" onclick="alert(document.domain) -> payload will escape from href and title attribute -> Set permission to public for all account

3.Save account -> anyother accounts try to access the URL/IP asssigned to that account -> an alert box will pop up.




1.Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

2.Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
dungtuanha modified the report
2 years ago
dungtuanha modified the report
2 years ago
dungtuanha modified the report
2 years ago
We have contacted a member of the nuxsmin/syspass team and are waiting to hear back 2 years ago
We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago
nuxsmin/syspass maintainer has acknowledged this report a year ago
nuxsmin gave praise a year ago
Many thanks for your contribution!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
nuxsmin modified the Severity from Critical (9) to Medium (4.8) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
nuxsmin validated this vulnerability a year ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nuxsmin marked this as fixed in v3.2.5 with commit 4da4d0 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated
a year ago

Hi, your demo website ( is always vulnerable to this issue.

to join this conversation