Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jul 3rd 2021

💥 BUG

STORED XSSS

💥 TESTED VERSION

latest version as of 3/7/21

💥 STEP TO REPRODUCE

plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/16Y2WR7PKj-OpDGGDMAxV60CaiSX2RZXl/view?usp=sharing

Occurrences

invoices_view.php L10

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 2 years ago

ranjit-git

commented 2 years ago

Researcher

Hi, plz check report submitted to your other repo https://github.com/bigprof-software/online-rental-property-manager

BigProf Software BigProf

commented 2 years ago

Maintainer

Thanks for your report. Is it possible to type the payload here please?

ranjit-git

commented 2 years ago

Researcher

xss"'><img src=x onerror=alert()> There are many report i submitted in your rental-app https://github.com/bigprof-software/online-rental-property-manager . https://huntr.dev/bounties/1625275424045-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625276398773-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625276675121-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277205662-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277344153-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277481076-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625277573714-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625278265041-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625278915548-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625302858201-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303011741-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303164980-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625303278601-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625304183206-bigprof-software/online-rental-property-manager/ https://huntr.dev/bounties/1625304330526-bigprof-software/online-rental-property-manager/

ranjit-git

commented 2 years ago

Researcher

xss"'><img src=x onerror=alert()>
There are many report i submitted in your rental-app https://github.com/bigprof-software/online-rental-property-manager .\

https://huntr.dev/bounties/1625275424045-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625276398773-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625276675121-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277205662-bigprof-software/online-rental-property-manager/\ https://huntr.dev/bounties/1625277344153-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277481076-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625277573714-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625278265041-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625278915548-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625302858201-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303011741-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303164980-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625303278601-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625304183206-bigprof-software/online-rental-property-manager/
https://huntr.dev/bounties/1625304330526-bigprof-software/online-rental-property-manager/\

BigProf Software BigProf

commented 2 years ago

Maintainer

I got notifications for those but for some strange reason, whenever I visit any of the links, huntr is asking me to log in as a maintainer of the repo -- but I'm already logged in as a maintainer ... seems there is a bug on huntr's side that should be part of the bounty!!

I contacted huntr about this bug and still waiting for their response.

BigProf Software validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

BigProf Software marked this as fixed with commit 5c122d 2 years ago

BigProf Software has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 2 years ago

ranjit-git

commented 2 years ago

Researcher

Hi, plz check report submitted to your other repo https://github.com/bigprof-software/online-rental-property-manager

BigProf Software BigProf

commented 2 years ago

Maintainer

Thanks for your report. Is it possible to type the payload here please?

ranjit-git

commented 2 years ago

Researcher

ranjit-git

commented 2 years ago

Researcher

xss"'><img src=x onerror=alert()>
There are many report i submitted in your rental-app https://github.com/bigprof-software/online-rental-property-manager .\

BigProf Software BigProf

commented 2 years ago

Maintainer

I contacted huntr about this bug and still waiting for their response.

BigProf Software validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

BigProf Software marked this as fixed with commit 5c122d 2 years ago

BigProf Software has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation