Cross-site Scripting (XSS) - Stored in idempiere/idempiere


Reported on

Jun 4th 2021

✍️ Description

Stored xss via svg file upload

🕵️‍♂️ Proof of Concept

you can upload this svg file .
Check this 1 minute video to reproduce the bug

💥 Impact

stored xss allow to execute arbitary javascript code in victim browser

Jamie Slome
6 months ago


@ranjit-git, I will reach out to them via their public e-mail

Jamie Slome validated this vulnerability 6 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on fa0b52 6 months ago
The fix bounty has been dropped