Cross-site Scripting (XSS) in Search Fuction with filter in neorazorx/facturascripts
May 10th 2022
The is an XSS could be trigger via search function in number filter.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Proof of Concept
1.Login and go to Accounting -> Accounting accounts -> Click on Filters.
1'"><script>alert(origin)</script> on any number filter.
3.Click on Search, script will escape via
value attribute of that filter and then XSS will be triggered.