Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver

Vulnerability

BTCPay Server versions prior to 1.8.0 contain an HTML injection vulnerability due to improper neutralization of equivalent special elements in payment request, posData, and receiptData fields. The issue stems from the use of Safe.Raw() in server-side Blazor templates (PaymentModel.cshtml, PosData.cshtml, and Receipts.cshtml), which allowed user-controlled strings to be rendered as raw HTML. This is fixed in commit ddb125f [1].

Exploitation

An attacker can exploit this vulnerability by crafting a payment request or receipt with malicious HTML/JavaScript in fields such as Model.BtcDue, payment.AdditionalInformation, key, or str (as seen in the views). No authentication is required if the attacker can create a payment request; an authenticated attacker could also inject malicious content into receipt or POS data fields. The attacker simply needs to submit a payment request containing HTML markup, which will then be rendered unescaped in the browser of any victim viewing that request or receipt [2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the BTCPay Server web interface when a user views a payment request or receipt. This can lead to phishing attacks, session hijacking, or defacement. The injected script runs in the context of the victim's session, potentially compromising sensitive data or leading to further attacks against the BTCPay Server instance [2].

Mitigation

The vulnerability is fixed in BTCPay Server version 1.8.0. Users should upgrade to this version or later. The fix replaces Safe.Raw() with proper HTML encoding (@) for all user-controlled data in the affected templates [1]. No workarounds are available for unpatched versions. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.