Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Jun 30th 2021
There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add a
client. when a comment is added during the creation of a client by the user then due to improper sanitization XSS payload gets triggered.
🕵️♂️ Proof of Concept
Video POC: https://drive.google.com/file/d/1g6if1zfpq9Wo5ASzSGztk_Xpuw6hpc7O/view?usp=sharing Payload: '''><svg/onload=prompt(5)>
Any user who has permission to add clients could steal admin or any user who can view clients.