Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid
Reported on Jul 3rd 2021

💥 BUG

STORED XSSS

💥 TESTED VERSION

latest version as of 3/7/21

💥 STEP TO REPRODUCE

plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/16Y2WR7PKj-OpDGGDMAxV60CaiSX2RZXl/view?usp=sharing

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 23 days ago
ranjit-git
23 days ago

Researcher


Hi, plz check report submitted to your other repo https://github.com/bigprof-software/online-rental-property-manager

BigProf
23 days ago

Maintainer


Thanks for your report. Is it possible to type the payload here please?

ranjit-git
23 days ago

Researcher


xss"'><img src=x onerror=alert()> There are many report i submitted in your rental-app https://github.com/bigprof-software/online-rental-property-manager . https://huntr.dev/bounties/1625275424045-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625276398773-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625276675121-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277205662-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277344153-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277481076-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277573714-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625278265041-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625278915548-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625302858201-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303011741-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303164980-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303278601-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625304183206-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625304330526-bigprof-software/online-rental-property-manager/

ranjit-git
23 days ago

Researcher


xss"'><img src=x onerror=alert()>
There are many report i submitted in your rental-app https://github.com/bigprof-software/online-rental-property-manager .\

https://huntr.dev/bounties/1625275424045-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625276398773-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625276675121-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277205662-bigprof-software/online-rental-property-manager/\ https://huntr.dev/bounties/1625277344153-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277481076-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277573714-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625278265041-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625278915548-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625302858201-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303011741-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303164980-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303278601-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625304183206-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625304330526-bigprof-software/online-rental-property-manager/\

BigProf
23 days ago

Maintainer


I got notifications for those but for some strange reason, whenever I visit any of the links, huntr is asking me to log in as a maintainer of the repo -- but I'm already logged in as a maintainer ... seems there is a bug on huntr's side that should be part of the bounty!!

I contacted huntr about this bug and still waiting for their response.

BigProf Software validated this vulnerability 23 days ago
ranjit-git has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
BigProf Software confirmed that a fix has been merged on 5c122d 23 days ago
BigProf Software has been awarded the fix bounty
$6.25