VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 9, 2019· Updated Aug 5, 2024

CVE-2019-16146

CVE-2019-16146

Description

Gophish versions through 0.8.0 suffered from stored XSS in the user management page due to unsanitized username input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gophish versions through 0.8.0 suffered from stored XSS in the user management page due to unsanitized username input.

Vulnerability

Description

Gophish, an open-source phishing simulation framework, in versions up to and including 0.8.0, is vulnerable to stored cross-site scripting (XSS) via the username field [1]. The root cause is that user-supplied usernames were directly interpolated into JavaScript template literals without sanitization, allowing arbitrary HTML/JavaScript injection into the user management interface [2].

Exploitation

An attacker with the ability to create or modify users (e.g., an admin user) can set a malicious username containing JavaScript payloads [3]. When the username is displayed in success messages, deletion confirmations, and other UI elements (e.g., templates like User ${user.username} updated successfully!), the payload is executed in the context of the browser of any user viewing that page [2]. No special network access beyond the web interface is required beyond having an account with user management privileges.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another administrator's session. This could be used to steal session tokens, perform administrative actions on behalf of the victim, or alter phishing campaign configurations, potentially leading to compromise of the Gophish installation [3].

Mitigation

The issue has been patched in the commit 24fe998a3aa04e205900476a9601d481e94d8eea as part of pull request #1547, where username values are now properly escaped using escapeHtml() before being inserted into the DOM [2][3]. Users are strongly advised to upgrade to a version containing this fix; if not possible, manual code review and input validation on the user management page are recommended.

References
  1. NVD - CVE-2019-16146
  2. Fix multiple XSS issues in User Management Page (#1547) · gophish/gophish@24fe998
  3. Fix multiple XSS issues in User Management page by dmaciejak · Pull Request #1547 · gophish/gophish

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gophish/gophishGo
< 0.9.00.9.0

Affected products

2

Patches

1
24fe998a3aa0

Fix multiple XSS issues in User Management Page (#1547)

https://github.com/gophish/gophishDavid MaciejakAug 24, 2019via ghsa
commitPR #1547
1 file changed · +5 5
  • static/js/src/app/users.js+5 5 modified
    @@ -19,7 +19,7 @@ const save = (id) => {
         user.id = id
         api.userId.put(user)
             .success(function (data) {
-                successFlash(`User ${user.username} updated successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " updated successfully!")
                 load()
                 dismiss()
                 $("#modal").modal('hide')
@@ -32,7 +32,7 @@ const save = (id) => {
         // to /user
         api.users.post(user)
             .success(function (data) {
-                successFlash(`User ${user.username} registered successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " registered successfully!")
                 load()
                 dismiss()
                 $("#modal").modal('hide')
@@ -79,7 +79,7 @@ const deleteUser = (id) => {
     }
     swal({
         title: "Are you sure?",
-        text: `This will delete the account for ${user.username} as well as all of the objects they have created.\n\nThis can't be undone!`,
+        text: "This will delete the account for " + escapeHtml(user.username) + " as well as all of the objects they have created.\n\nThis can't be undone!",
         type: "warning",
         animation: false,
         showCancelButton: true,
@@ -101,7 +101,7 @@ const deleteUser = (id) => {
     }).then(function () {
         swal(
             'User Deleted!',
-            `The user account for ${user.username} and all associated objects have been deleted!`,
+            "The user account for " + escapeHtml(user.username) + " and all associated objects have been deleted!",
             'success'
         );
         $('button:contains("OK")').on('click', function () {
@@ -175,4 +175,4 @@ $(document).ready(function () {
     $("#userTable").on('click', '.delete_button', function (e) {
         deleteUser($(this).attr('data-user-id'))
     })
-});
\ No newline at end of file
+});

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.