Cross-site Scripting (XSS) - Stored in poowf/invoiceneko

Valid

Reported on

Aug 13th 2021


✍️ Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Vulnerable url

https://invoiceneko.com/aarear.com/quote/adhoc/create?url=#! 

Payload

injection point INSERT LINK  "><img src=x onerror=confirm(1)>

🕵️‍♂️ Proof of Concept

https://drive.google.com/file/d/1-9HpKOSBjCttyUMB2PAO-iAgmnB1fwhc/view?usp=sharing

💥 Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

Ziding Zhang
4 months ago

Admin


Hey Raptor, I've just emailed the repo's team about this. Good job!

Raptor
4 months ago

Researcher


Thanks man

We have contacted a member of the poowf/invoiceneko team and are waiting to hear back 4 months ago
Zane Chua validated this vulnerability 3 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Zane Chua confirmed that a fix has been merged on 61f162 3 months ago
Zane Chua has been awarded the fix bounty
Raptor
3 months ago

Researcher


Hi, it seems to be not fixed.

Raptor
3 months ago

Researcher


Mistake I typed, This parameter is fixed.

Zane Chua
3 months ago

It's been fixed in the repo but not on the live site.

The fix will go up in the next deployment.