skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 1, 2022

GHSL-2021-103: Cross-Site Scripting (XSS) in Erxes - CVE-2021-32853

GitHub Security Lab

Coordinated Disclosure Timeline


Cross-Site scripting in


Tested Version

The latest version to the date.


This template tag in widgets.ejs is vulnerable to code injection:

        window.knowledgebaseSettings = {
          topic_id: "<%- kbTopicId %>"

The value comes from a request parameter here:

  res.render('widget', {
    type: 'knowledgebase',
    env: getEnv(),
    kbTopicId: req.query.topicId

The inserted value is not escaped, so one can break out of the string literal or the enclosing script tag:

At the time of writing, this can be verified on the live demo following these links: (they are harmless)



Code Execution (on client side). The victim must follow a malicious link or be redirected from a malicious web site.


This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.


You can contact the GHSL team at, please include GHSL-2021-103 in any communication regarding this issue.