skip to content
Back to
Home Bounties Research Advisories Get Involved Events
February 1, 2022

GHSL-2021-104: Cross-Site Scripting in countly-server - CVE-2021-32852

GitHub Security Lab

Coordinated Disclosure Timeline


Cross-site scripting in


Tested Version

The latest version to the date.


Code injection is possible in the template snippet in reset.html:

showMessage("<%= message %>", "<%= password_min %>");

Both message and password_min come from query parameters passed in here (reformatted below for convenience):

res.render('reset', {
    "message": req.query.message || "",
    password_min: req.query.password_min || "",

The <%= message %> tag performs HTML-escaping which ordinarily prevents breaking out of the string literal, but the backslash is not escaped, so injection is possible by setting:

Resulting in the following code generated by the template:

showMessage("\", ", alert(1)); //");



Code Execution (on client side).
The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one.
It’s unclear how the open-source code relates to the enterprise version of the software. It’s possible only the community edition is affected.


This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.


You can contact the GHSL team at, please include GHSL-2021-104 in any communication regarding this issue.