Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Reported on Jul 4th 2021

✍️ Description

There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release.

🕵️‍♂️ Proof of Concept

Step to reproduce: Go to /admin/pageSettings.php?search-settings=smtp and the payload: "<svg/onload=prompt(document.domain)>"@x.y in the "Senders Email" column Click Save; and visit /admin/pageMail.php?sendToAll=1 to see the pop-up, see the video

Poc video:

💥 Impact

Stored Xss

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 22 days ago
BigProf Software validated this vulnerability 16 days ago
D3lT4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 70bc57 16 days ago
BigProf Software has been awarded the fix bounty