Cross-site Scripting (XSS) - Stored in poowf/invoiceneko


Reported on

Aug 13th 2021

✍️ Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Vulnerable url! 


injection point INSERT LINK  "><img src=x onerror=confirm(1)>

🕵️‍♂️ Proof of Concept

💥 Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

2 years ago


Hey Raptor, I've just emailed the repo's team about this. Good job!

2 years ago


Thanks man

We have contacted a member of the poowf/invoiceneko team and are waiting to hear back 2 years ago
Zane Chua validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Zane Chua marked this as fixed with commit 61f162 2 years ago
Zane Chua has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Hi, it seems to be not fixed.

2 years ago


Mistake I typed, This parameter is fixed.

Zane Chua
2 years ago


It's been fixed in the repo but not on the live site.

The fix will go up in the next deployment.

to join this conversation