Edoardo Ottavianelli

Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.

Contact me


Author: Edoardo Ottavianelli

In this post I will go through CVE-2023-30097: the description, replication of the vulnerability and POC.

Messenger, a product of TotalJS, is "a chat application for programmers. Our solution is a small, fast, and open-source web application that you can customize to fit your needs. Try our great solution as a communication channel in your company or sell it to your customers."

The Messenger platform includes:
  • Real-time messaging.
  • Supports GitHub flavored markdown.
  • Supports secret messages.
  • Full-text search.

totaljs messenger

Description of the vulnerability

TotalJS messenger commit b6cf1c9 is vulnerable to XSS. The private task field is not properly sanitized.

Replication of the vulnerability

  • Login in the application.
  • Click on Add a Private task.
  • Set " <script>alert(document.domain)</script> as task description and save.
  • XSS will fire whenever user info is reflected in page.
totaljs messenger cve poc


See the Youtube Video POC at the top of the page.