Bug #13
closedStored Cross-Site Scripting (XSS) in Event HTML field via /api/events/create
Description
Title
Stored Cross-Site Scripting (XSS) in Event HTML field via /api/events/create
Environment
Application: aKinder Wellness Admin Panel
URL: https://dev.akinderwellness.com/pages/events
API Endpoint: /api/events/create
Browser: Chrome 145
Environment: Development
Description
The Create Event API accepts HTML content in the html parameter without sanitizing user input.
An attacker can inject malicious JavaScript using HTML event attributes such as onclick.
The injected script is stored in the database and executed in the browser when a user interacts with the rendered content.
This results in a Stored Cross-Site Scripting (Stored XSS) vulnerability.
Steps To Reproduce
- Send Post Request to API:
POST /api/events/create - Use the following payload in the html field
HelloHi
- Post the request and create the event successfully
- Navigate to
https://dev.akinderwellness.com/pages/events - Click the Hi link
Actual Result
JavaScript executes in the browser and an alert popup appears showing the XSS payload.
Expected result
User supplied HTML should be sanitized before rendering. Dangerous attributes such as:
- onclick
- onload
- onerror
- javascript:
IMPACT
Attacker can inject malicious scripts that can be executed on user's browser which can cause impact like:
Data Theft
Unauthorized API Actions
Phishing Attack within the application UI
Files
| XSS Bug AKW004.png (290 KB) XSS Bug AKW004.png | |||
| POST httpsapi akinderwellness.txt (1.57 KB) POST httpsapi akinderwellness.txt | Post request format used for the test | ||
| Screenshot 2026-03-12 163748.png (303 KB) Screenshot 2026-03-12 163748.png |
