Stored and Reflected XSS in Website

Report ID



  • Vendor: IEEE
  • Product: Website
  • Affected Version:
  • Severity: medium
  • Short summary: Reflected and Stored XSS possible in website.


There is no proper input validation check for the text entered in the fields in the login page of the website. This results to a reflected XSS attack (OWASP Link)). As an example, if an attacker fills out the following:

Conference ID: "><script>alert("XSS")</script>
Email Address:
Password: supersecure

You will get a pop-up showing „XSS“. More concrete attacks are described here.

If I create a new account and create a password containing "><script>alert("XSS")</script> for example, the XSS is persistent.


Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at


  • 2017-02-03 Vulnerability Discovered
  • 2017-02-06 Barbara contacted me and sent me a link to Dropbox to upload the report
  • 2017-05-08 Vulnerability is not fixed, vendor needs more time
  • 2018-08-01 Published