Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jul 1st 2021


💥 BUG

Stored xss via group name

💥 TESTED VERSION

latest version as of 01/07/21

💥 STEP TO REPRODUCE

1. create a group with bellow xss payload in name.
group1"'><img src=x onerror=alert(22)>.
2. Now add a new user called user-B to the above group .
3. Finally visit http://localhost/online-invoice2/app/admin/pageViewMembers.php and see xss is executed .

💥 VIDEO POC

https://drive.google.com/file/d/1JWD5LwbL-W5cDp2G8osXitoLxzAAl_9d/view?usp=sharing

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back a year ago
BigProf Software validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf
a year ago

Maintainer


I wouldn't assign a 'high' severity to this issue since only the admin can add a group, and there is no logical motive for an admin to XSS his users. So, this is not effective without a combined CSRF attack. But anyway, thanks for researching and reporting this.

BigProf Software confirmed that a fix has been merged on a5faa0 a year ago
BigProf Software has been awarded the fix bounty
to join this conversation