Cross-site Scripting (XSS) - Stored in range-of-motion/budget

Valid

Reported on

Jun 4th 2021


✍️ Description

Stored xss using vue js

🕵️‍♂️ Proof of Concept

1. First goto your account and visit https://app.budgethq.com/transactions and create a transaction .
During creation put bellow xss payload in Description field and save it .
Now see xss is executed

Payload ---> {{ constructor.constructor("alert('xs222s')")() }}

#VIDEO POC

https://drive.google.com/file/d/1fkPqCdEXGaOLryLDRe0T4mPTv3yVUhfJ/view?usp=sharing

💥 Impact

Stored xss allow to executed arbitary javacscript in vicitm account

Jamie Slome
a year ago

Admin


I have reached out to the maintainers via a GitHub Issue and we will await a response from them.

Daniël validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniël submitted a
a year ago
Daniël marked this as fixed in 0.11.1 with commit eea1bf a year ago
Daniël has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation