Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Jul 2nd 2021
xss via groupname
💥 VERSION TESTED
latest version as of 1/7/21
💥 STEP TO REPRODUCE
1. first goto
http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in group-name.
group1"'><img src=x onerror=alert()>.
2. Now add a new user to this group . lets assume the added userid is
Now visit url
http://localhost/online-invoice2/app/admin/pageEditMemberPermissions.php?memberID=user1 and see xss is executed.
In this url change
memberID parameter value with above userid .