BTCPay Server v1.7.4 - HTML Injection

vendor:

BTCPayServer

by:

Manojkumar J (TheWhiteEvil)

8.8

CVSS

HIGH

HTML Injection

CWE

Product Name: BTCPayServer

Affected Version From: <=1.7.4

Affected Version To: <=1.7.4

Patch Exists: YES

Related CWE: CVE-2023-0493

CPE: a:btcpayserver:btcpayserver:1.7.4

Metasploit:

Platforms Tested: Windows10

2023

BTCPay Server v1.7.4 – HTML Injection

BTCPay Server v1.7.4 HTML injection vulnerability. An attacker can inject malicious HTML code into the label field of the API key, which will be rendered when the API key is deleted.

Mitigation:

Input validation should be used to prevent malicious HTML code from being injected.

Source

Exploit-DB raw data:

# Exploit Title: BTCPay Server v1.7.4 - HTML Injection
# Date: 01/26/2023
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Vendor Homepage: https://github.com/btcpayserver/btcpayserver
# Software Link:
https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5
# Version: <=1.7.4
# Tested on: Windows10
# CVE : CVE-2023-0493

# Description:

BTCPay Server v1.7.4 HTML injection vulnerability.

# Steps to exploit:

1. Create an account on the target website.

Register endpoint: https://target-website.com/register#

2. Move on to the API key and create API key with the html injection in the
label field.

Example:

<a href="https://hackerbro.in">clickhere</a>


3. Click remove/delete API key, the html injection will render.