Cross-site Scripting (XSS) - Stored in range-of-motion/budget

Valid

Reported on

Jun 4th 2021


✍️ Description

Stored xss using vue js

🕵️‍♂️ Proof of Concept

1. First goto your account and visit https://app.budgethq.com/transactions and create a transaction .
During creation put bellow xss payload in Description field and save it .
Now see xss is executed

Payload ---> {{ constructor.constructor("alert('xs222s')")() }}

#VIDEO POC

https://drive.google.com/file/d/1fkPqCdEXGaOLryLDRe0T4mPTv3yVUhfJ/view?usp=sharing

💥 Impact

Stored xss allow to executed arbitary javacscript in vicitm account

Jamie Slome
8 months ago

Admin


I have reached out to the maintainers via a GitHub Issue and we will await a response from them.

Daniël validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniël submitted a
a month ago
Daniël confirmed that a fix has been merged on eea1bf a month ago
Daniël has been awarded the fix bounty