Cross-site Scripting (XSS) - Stored in poowf/invoiceneko
Aug 13th 2021
Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.
injection point INSERT LINK "><img src=x onerror=confirm(1)>
🕵️♂️ Proof of Concept
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.