Gaspard Baye

**Name of the Vulnerable Software and Affected Versions** hledger versions prior to 1.23 hledger-web versions prior to 1.23 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the `toBloodhoundJson` function, allowing an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the `atob` function. The `hledger-web` forms sanitize obvious JavaScript but not obfuscated JavaScript, making instances, especially anonymously-writable ones, vulnerable to malicious JavaScript execution by subsequent visitors. **Recommendations** For hledger versions prior to 1.23, update to version 1.23 or later to resolve the issue. For hledger-web versions prior to 1.23, update to version 1.23 or later to resolve the issue. As a temporary workaround, consider disabling the `toBloodhoundJson` function until a patch is available. Restrict access to anonymously-writable hledger-web instances to minimize the risk of exploitation.