Key Information about the Vulnerability Vulnerability Description OpenTrade through version 0.2.0 has a DOM-based XSS vulnerability that can be triggered when an administrator attempts to delete a message containing malicious JavaScript. Affected Versions The vulnerability was introduced in an early commit. Version 0.2.0 is the only version explicitly identified as vulnerable. Overview When an administrator tries to delete a chat message, a modal appears to confirm the deletion. The modal fails to HTML or URL encode message contents, enabling JavaScript execution in the administrator's context. OpenTrade does not set the "token" (session) cookie with the "HTTPOnly" flag, making it possible for an attacker to steal administrative cookies. Proof of Concept As a normal user: Submit a chat message containing JavaScript, e.g. . This will not execute in the chat. As an administrator: Attempt to delete this message by clicking the delete button, which will cause the JavaScript to execute. Fix Apply to message outputs to prevent XSS. Other Information CVSS Score: 7.6 (High) Vulnerability Type: DOM-Based XSS Discoverer: Marshall Hallenbeck CVE: CVE-2020-6847