FS#207 : reflected XSS at admin.alwaysdata.com

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by wickedwolve - 29.08.2025
Last edited by cbay - 08.09.2025

FS#207 - reflected XSS at admin.alwaysdata.com

Hello there,

i found an XSS vulnerability affecting "addresses" JSON parameter in a POST request to admin.alwaysdata.com/site/resolver.
i have to apologies I didn't get around including a custom header before i found the bug, I'm hopeful this will be overlooked on my part
my POC Is attached below pretty neet and straightforward and includes my IP as requested in POC guidelines. cheers.

Screenshot 2025-08-28 090156.... (156.6 KiB)

Screenshot 2025-08-28 090322.... (37.2 KiB)

Closed by cbay
08.09.2025 07:05
Reason for closing: Invalid

Comments (2)
Related Tasks (0/0)

wickedwolve commented on 29.08.2025 07:47

Hello,
I wanted to confirm that the payload I submitted is (`<script>alert(document.domain)</script>`) does indeed execute in the browser.
I also tested with `<script>alert(1)</script>` and observed the alert popup, which confirms this is an exploitable XSS issue.
i am sorry this is my first report

Please let me know if you need additional details.
Best regards,
Chris,
[Your Email]

cbay commented on 29.08.2025 08:01

Hello,

This is a self-XSS, so not exploitable by an attacker.

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task