Cross-site Scripting (XSS) - Stored in poowf/invoiceneko


Reported on

Aug 13th 2021

✍️ Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Vulnerable url! 


injection point INSERT LINK  "><img src=x onerror=confirm(1)>

🕵️‍♂️ Proof of Concept

💥 Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

Ziding Zhang
4 months ago


Hey Raptor, I've just emailed the repo's team about this. Good job!

4 months ago


Thanks man

We have contacted a member of the poowf/invoiceneko team and are waiting to hear back 4 months ago
Zane Chua validated this vulnerability 3 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Zane Chua confirmed that a fix has been merged on 61f162 3 months ago
Zane Chua has been awarded the fix bounty
3 months ago


Hi, it seems to be not fixed.

3 months ago


Mistake I typed, This parameter is fixed.

Zane Chua
3 months ago

It's been fixed in the repo but not on the live site.

The fix will go up in the next deployment.