Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Reported on Jul 4th 2021

✍️ Description

In the repo online invoicing system i found a stored xss which gets exploited on unpaid invoice view which is lead by client name.

🕵️‍♂️ Proof of Concept

Video POC:

Steps to reproduce:
1. Add a client with name xss"'><img src=x onerror=alert(1111)>
2. Save and then go to unpaid invoices.
3. Add a unpaid invoice and select the client we added before.
4. Save and you will see XSS pop-up

💥 Impact

This vulnerability is capable of Stored XSS

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 22 days ago
BigProf Software validated this vulnerability 16 days ago
0daksh0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 827198 16 days ago
BigProf Software has been awarded the fix bounty