Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jun 28th 2021


✍️ Description

Stored xss bug using a xss payload in the full name field, other fields like address, city, state will work as well.

🕵️‍♂️ Proof of Concept

Create a new user with the following payload "><img src=x onerror=alert('xss-ribersec')> in one of the fields i mentioned above; full name, address etc... alt text browse to you're profile and see the xss popup. https://your_own_url/online-invoicing-system-4.9/app/membership_profile.php alt text If you want to alert the cookies simply change the payload to "><img src=x onerror=alert(document.cookie)> alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥References

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back a year ago
Jamie Slome
a year ago

Admin


@maintainer - any thoughts here?

BigProf Software validated this vulnerability a year ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf
a year ago

Maintainer


I wouldn't classify this as 'high severity' as the app admin has no motive to XSS his app users (and he can do much more damage in many other ways if he really wants since he's the system admin) .. So, this vulnerability is ineffective without combining it with a CSRF attack. Anyway, thanks for reporting it ... I'll make a fix now.

BigProf Software confirmed that a fix has been merged on 7167fb a year ago
BigProf Software has been awarded the fix bounty
to join this conversation