We found results for “


Date: December 29, 2021


In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.


IFme has stored XSS vulnerability at notifications which can be directly triggered by sending an ally request to the admin.

PoC Details

In the normal window, Access the application by going to http://localhost:3000/users/sign_in and login with admin creds. Now, in the incognito window, go to http://localhost:3000/users/sign_in and login as a normal user. Now, as normal user, go to http://localhost:3000/users/edit and change the name to the XSS payload provided below. Go to http://localhost:3000/allies and search for the admin’s email address. Now press on “Add to allies” for the admin profile. Now in the normal window where we are logged in as admin, refresh the page and xss gets triggered.

PoC Code

<IFRAME SRC="javascript:alert(document.domain);"></IFRAME>

Affected Environments

1.0.0 to v7.31.4


Update to version v7.32

Language: Ruby

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version v7.32

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: