Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Jul 3rd 2021
There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release.
🕵️♂️ Proof of Concept
Steps to Reproduce:
Go to https://localhost:443///admin/pageSettings.php?search-settings=smtp
Add "><img src=x onerror=alert(document.domain)> as senders name
Update the page and visit https://localhost:443///admin/pageMail.php?sendToAll=1 You will see an alert.