Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jul 1st 2021

💥 BUG

Stored xss via group name

💥 TESTED VERSION

latest version as of 01/07/21

💥 STEP TO REPRODUCE

1. create a group with bellow xss payload in name.
group1"'><img src=x onerror=alert(22)>.
2. Now add a new user called user-B to the above group .
3. Finally visit http://localhost/online-invoice2/app/admin/pageViewMembers.php and see xss is executed .

💥 VIDEO POC

https://drive.google.com/file/d/1JWD5LwbL-W5cDp2G8osXitoLxzAAl_9d/view?usp=sharing

Occurrences

pageViewMembers.php L95

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 2 years ago

BigProf Software validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

BigProf Software BigProf

commented 2 years ago

I wouldn't assign a 'high' severity to this issue since only the admin can add a group, and there is no logical motive for an admin to XSS his users. So, this is not effective without a combined CSRF attack. But anyway, thanks for researching and reporting this.

BigProf Software marked this as fixed with commit a5faa0 2 years ago

BigProf Software has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation