Project

General

Profile

Actions
Copy link

Bug #13

closed

Stored Cross-Site Scripting (XSS) in Event HTML field via /api/events/create

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
High
Assignee:
-
Start date:
03/12/2026
Due date:
% Done:

100%

Estimated time:
2:00 h
Spent time:
1:00 h

Description

Title
Stored Cross-Site Scripting (XSS) in Event HTML field via /api/events/create

Environment
Application: aKinder Wellness Admin Panel
URL: https://dev.akinderwellness.com/pages/events
API Endpoint: /api/events/create
Browser: Chrome 145
Environment: Development

Description
The Create Event API accepts HTML content in the html parameter without sanitizing user input.
An attacker can inject malicious JavaScript using HTML event attributes such as onclick.
The injected script is stored in the database and executed in the browser when a user interacts with the rendered content.
This results in a Stored Cross-Site Scripting (Stored XSS) vulnerability.

Steps To Reproduce

  1. Send Post Request to API: POST /api/events/create
  2. Use the following payload in the html field

HelloHi

  1. Post the request and create the event successfully
  2. Navigate to https://dev.akinderwellness.com/pages/events
  3. Click the Hi link

Actual Result
JavaScript executes in the browser and an alert popup appears showing the XSS payload.

Expected result
User supplied HTML should be sanitized before rendering. Dangerous attributes such as:

  • onclick
  • onload
  • onerror
  • javascript:

IMPACT
Attacker can inject malicious scripts that can be executed on user's browser which can cause impact like:
Data Theft
Unauthorized API Actions
Phishing Attack within the application UI

Files

Download all files
XSS Bug AKW004.png (290 KB) XSS Bug AKW004.png Vivek Kumar, 03/12/2026 07:51 AM
POST httpsapi akinderwellness.txt (1.57 KB) POST httpsapi akinderwellness.txt Post request format used for the test Vivek Kumar, 03/12/2026 07:53 AM
Screenshot 2026-03-12 163748.png (303 KB) Screenshot 2026-03-12 163748.png Vivek Kumar, 03/12/2026 11:10 AM
Actions
Copy link
 #1

Updated by Adhi Narayanan about 1 month ago

  • % Done changed from 0 to 100

Thank you for reporting the Stored XSS vulnerability in the Event HTML field.
We have implemented server-side sanitization for both html and text fields using a whitelist-based HTML sanitizer.
Dangerous attributes such as onclick, onerror, onload, and javascript: URLs are now removed or escaped before saving to the database.
Please re-test the issue and confirm if it is resolved.

Actions
Copy link
 #2

Updated by Adhi Narayanan about 1 month ago

  • Status changed from New to Resolved
Actions
Copy link
 #3

Updated by Vivek Kumar about 1 month ago

I checked it again. In Development environment and the bug persists. I can't check it on production server as I am not given permission for it.

Actions
Copy link
 #4

Updated by Vivek Kumar about 1 month ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF