We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-site Scripting (XSS) - Stored in poowf/invoiceneko

Valid

Reported on

Aug 13th 2021

✍️ Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.

Vulnerable url

https://invoiceneko.com/aarear.com/quote/adhoc/create?url=#!

Payload

injection point INSERT LINK  "><img src=x onerror=confirm(1)>

🕵️‍♂️ Proof of Concept

https://drive.google.com/file/d/1-9HpKOSBjCttyUMB2PAO-iAgmnB1fwhc/view?usp=sharing

💥 Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

Z-Old
2 years ago

Admin

Hey Raptor, I've just emailed the repo's team about this. Good job!

Raptor
2 years ago

Researcher

Thanks man

We have contacted a member of the poowf/invoiceneko team and are waiting to hear back 2 years ago
Zane Chua validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Zane Chua marked this as fixed with commit 61f162 2 years ago
Zane Chua has been awarded the fix bounty
This vulnerability will not receive a CVE
Raptor
2 years ago

Researcher

Hi, it seems to be not fixed.

Raptor
2 years ago

Researcher

Mistake I typed, This parameter is fixed.

Zane Chua
2 years ago

Maintainer

It's been fixed in the repo but not on the live site.

The fix will go up in the next deployment.

to join this conversation