Page MenuHomeVulnz

XSS vulnerability in



There's an XSS vulnerability in the page via the codi GET parameter.

Reproduction steps

  1. Visit

What should be done?

Sanitize the codi parameter properly.

Attack scenario

Proof of concept of a phishing attack possible due to this vulnerability:

  1. Login as a student at Món UB (
  2. Visit this link. It will show a dialog with the student's name.

Due to the COVID-19 situation, this bug is subject to a more relaxed 120 day disclosure deadline instead of the normal 90 days deadline. If 120 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.


Universitat de Barcelona
May 14 2020, 1:46 PM

Event Timeline

avm99963 triaged this task as Priority-1 priority.Apr 15 2020, 4:30 PM
avm99963 created this task.
avm99963 set Reported to May 14 2020, 1:46 PM.May 14 2020, 1:47 PM

On May 16 2020, 2:34 PM, SAE told me the developers fixed this issue, and I could verify this, so I'm marking this report as verified and disclosing it to the public.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Jul 20 2020, 11:22 PM