skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 18, 2024

GHSL-2023-253: Cross-Site Scripting (XSS) in openrasp - CVE-2024-29183

Kevin Stubbings

Coordinated Disclosure Timeline


A reflected XSS vulnerability exists in the openrasp cloud interface that allows an unauthenticated attacker to gain the session of users.



Tested Version



reflected XSS in /login (GHSL-2023-253)

There exists a reflected XSS in the /login page due to a reflection of the redirect parameter. This allows an attacker to execute arbitrary javascript with the permissions of a user after the user logins with their account.

doLogin: function() {
      return'v1/user/login', {
        username: this.username,
        password: this.password
      }).then(res => {
        if (this.$route.query.redirect) {
          location.href = this.$route.query.redirect // assignment of query parameter to DOM
        } else {
            name: 'dashboard'

This vulnerability was found with the help of CodeQL


This issue may lead to Privilege Escalation and Information Disclosure

Proof of Concept

The following url will create an alert showing the cookie value of the logged in user. This demonstrates that arbitrary javascript can be executed and that the cookie value can be accessed, allowing an attacker to steal the cookie and login. In order to hide the attack from the user, an attacker can url encode as a form of obsfuscation.




This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).


You can contact the GHSL team at, please include a reference to GHSL-2023-253 in any communication regarding this issue.