Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Reported on Jul 3rd 2021

✍️ Description

here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety.

🕵️‍♂️ Proof of Concept

step to reproduce:

Go to /admin/pageSettings.php and click Preconfigured users and groups

Add payload: "><img src=x onerror=alert(document.domain)> on Name of the anonymous user and save and exit

Visit admin/pageViewMembers.php and see the stored xss fires


💥 Impact

Stored Xss

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 23 days ago
BigProf Software validated this vulnerability 23 days ago
D3lT4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 96dd9b 23 days ago
BigProf Software has been awarded the fix bounty