Scan free
LOWCVE-2021-3830CVSS 3.8

CVE-2021-3830: XSS in btcpayserver ≤1.2.3

Platform

other

Component

btcpayserver/btcpayserver

Fixed in

1.2.3

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2021-3830 describes a Cross-Site Scripting (XSS) vulnerability affecting btcpayserver versions 1.2.3 and earlier. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. The vulnerability was published on September 26, 2021, and a fix is available in version 1.2.3.

Impact and Attack Scenarios

The XSS vulnerability in btcpayserver allows an attacker to inject arbitrary JavaScript code into web pages served by the application. This code can then be executed in the context of a victim's browser, granting the attacker access to sensitive information such as cookies, session tokens, and other user data. An attacker could also use this vulnerability to redirect users to malicious websites, deface the application, or perform other actions on behalf of the victim. The impact is particularly concerning for btcpayserver deployments handling cryptocurrency transactions, as compromised user accounts could lead to financial losses.

Exploitation Context

CVE-2021-3830 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of active exploitation at this time. The vulnerability was disclosed publicly on September 26, 2021, alongside the CVE assignment.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.23% (46% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N3.8LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentbtcpayserver/btcpayserver
Vendorbtcpayserver
Affected rangeFixed in
unspecified – 1.2.31.2.3

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2021-3830 is to upgrade btcpayserver to version 1.2.3 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your btcpayserver configuration to ensure it adheres to security best practices.

How to fix

Actualice btcpayserver a la versión 1.2.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-site Scripting (XSS) almacenado. La actualización mitigará el riesgo de que atacantes inyecten scripts maliciosos en su servidor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-3830 — Cross-Site Scripting in btcpayserver?

CVE-2021-3830 is a Cross-Site Scripting (XSS) vulnerability in btcpayserver versions up to 1.2.3, allowing attackers to inject malicious scripts.

Am I affected by CVE-2021-3830 in btcpayserver?

You are affected if you are running btcpayserver version 1.2.3 or earlier. Upgrade to 1.2.3 to mitigate the risk.

How do I fix CVE-2021-3830 in btcpayserver?

Upgrade btcpayserver to version 1.2.3 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2021-3830 being actively exploited?

There is no widespread evidence of active exploitation at this time, but vigilance is still advised.

Where can I find the official btcpayserver advisory for CVE-2021-3830?

Refer to the btcpayserver project's official release notes and security advisories on their GitHub repository.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs