Opened 21 months ago

Last modified 15 months ago

#28681 new defect

reflected XSS

Reported by: 0x539h Owned by: metrics-team
Priority: Medium Milestone:
Component: Metrics/Relay Search Version:
Severity: Major Keywords: xss, cross-site scripting, easy
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Hello! I have been found reflected XSS vulnerability on subdomain of torproject.
You should fix it :) Screenshot with easy exploit is attached to ticket.
If it possible, I will proud to get one more sticker pack .

the vector is:

"><img src=x onerror=alert(1)>


Child Tickets

Attachments (1)

Screenshot from 2018-11-27 14-11-56.png (138.1 KB) - added by 0x539h 21 months ago.

Download all attachments as: .zip

Change History (4)

Changed 21 months ago by 0x539h


comment:1 Changed 21 months ago by arma

Component: - Select a componentMetrics/Relay Search
Owner: set to metrics-team
Sponsor: Sponsor2
Version: sbws: unspecified

comment:2 Changed 21 months ago by irl

Priority: HighMedium

It is a bug, but it's not particularly scary as there is nothing you can get at that would be privileged here.

0x539h: the code is at

It would probably be best to clean the inputs in the router:

Would you like to make a patch?

comment:3 Changed 15 months ago by irl

Keywords: easy added
Note: See TracTickets for help on using tickets.