Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIXED] Markdown XSS in loomio before 1.8.0 #4220

Framartin opened this issue Jul 21, 2017 · 1 comment


None yet
1 participant
Copy link

commented Jul 21, 2017

For transparency reason, the email I sent to Loomio maintainers on March 2, 2017 is reproduced below. This XSS vulnerability was fixed by this commit: 63973f7
This fix was shipped with Loomio v1.8.0


I just found an XSS vulnerability in Loomio.

How to reproduce

  • A malicious user creates an new thread
  • In the description, (s)he enters: [my link](javascript:alert('xss'))
  • The targeted user visits the thread and clicks on the malicious link
  • The JS payload is executed

How to fix

"href" content should be sanitized

I found this vulnerability because I'm currently and voluntarily
searching for XSS vulnerabilities in the services that we offer or use
at the French non-profit association Framasoft.

I remain available for any additional comments or questions.


Thanks to the Loomio developers for the fix.

Edit: Note that it was also possible to exploit this vulnerability by posting a comment inside a thread.

@Framartin Framartin closed this Jul 21, 2017


This comment has been minimized.

Copy link

commented Jul 24, 2017

CVE-2017-11594 is attributed to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.