The following document describes identified vulnerabilities in the Wallabag application, version 2.2.3 to 2.3.2.

Product Description

Wallabag is an open source RSS reader application, distributed under an MIT license. The project official website is The vulnerability described in this document affects version 2.2.3 (released on May 18, 2017) through version 2.3.2 (released on January 22, 2018).

Vulnerabilities List

One vulnerability was identified within the Wallabag web application:

  • One instance of stored cross-site scripting

This vulnerability is described in the following section.

Affected Version

Version 2.2.3 to 2.3.2



Stored Cross-site Scripting

The Wallabag application is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.

Vulnerability Details

CVE ID: CVE-2018-11352

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-79

CVSS Base Score: 4.9


The XSS vulnerability is located on the internal settings configuration page. By injecting a JavaScript payload in this page, an attacker can steal an administrator session. An admin account is required to exploit this instance. The vulnerable parameter is craue_config_modifySettings[settings][23][value]. To trigger the vulnerability, Piwik must be enabled, which can be done by setting the value 1 to the parameter craue_config_modifySettings[settings][22][value]. The following payload can be used to demonstrate the attack:

The request below can be used to exploit the vulnerability: