Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Jul 2nd 2021
There is a Stored XSS in the online invoicing system view price history which is lead by adding invoice items.
💥 TESTED VERSION https://github.com/bigprof-software/online-invoicing-system/releases/tag/v5.0
🕵️♂️ Proof of Concept
POC Video: https://drive.google.com/file/d/1Narh5wwQos4SPwC06PKEGtKrcpsC7X7U/view?usp=sharing Steps to reproduce: 1. Click on Price History 2. Click on Add new. 3. Now you need to add new item named s"'><img src=x onerror=alert(document.domain)> and save it. 4. Now click on Invoice Items and then click on add. 5. In Invoice items:Add New you will see Item in which you will see the payload you added before select that and save it 6. You will see the Pop-up.
Stored XSS, steal admin cookies if any user has access to add invoice items,add price history.