Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-systemValid
xss via groupname in item
💥 VERSION TESTED
latest version as of 1/7/21
💥 STEP TO REPRODUCE
1. first goto
http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in group-name.
group1"'><img src=x onerror=alert()>.
2. Now add a new user called
user-B to this group .
3. Now goto user-B account and add a new item . Lets assume the item id is
4. Now finally goto admin account and visit above item url
http://localhost/online-invoice2/app/items_view.php?SelectedID=8 and see xss is executed .