Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-systemValid
Jun 30th 2021
There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add the invoice. when a comment is added during the creation of invoices by any user then due to improper sanitization XSS payload gets triggered.
🕵️♂️ Proof of Concept
Video POC: https://drive.google.com/file/d/1bC9YJFV08fltA23sPJSgIT0JTYU39NjR/view?usp=sharing Payload: '''><svg/onload=prompt(5)>
Stored XSS, steal other user's cookies, session hijacking of any user who visits that malicious invoice injected by XSS payload.