Cross-site Scripting (XSS) - Stored in poowf/invoiceneko


Reported on

Aug 13th 2021

✍️ Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Vulnerable url! 


injection point INSERT LINK  "><img src=x onerror=confirm(1)>

🕵️‍♂️ Proof of Concept

💥 Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

a year ago


Hey Raptor, I've just emailed the repo's team about this. Good job!

a year ago


Thanks man

We have contacted a member of the poowf/invoiceneko team and are waiting to hear back a year ago
Zane Chua validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Zane Chua confirmed that a fix has been merged on 61f162 a year ago
Zane Chua has been awarded the fix bounty
a year ago


Hi, it seems to be not fixed.

a year ago


Mistake I typed, This parameter is fixed.

Zane Chua
a year ago

It's been fixed in the repo but not on the live site.

The fix will go up in the next deployment.

to join this conversation