Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-systemValid
stored xss via Group name
🕵️♂️ Proof of Concept
Step To Reproduce:
Go to /admin/pageEditGroup.php and creat a group with payload: '/><IMG SRC=# onerror="alert('xxs')">
Now visit user dashboard ie, /membership_profile.php and see the xss pops up
Poc video: https://drive.google.com/file/d/10wXP9STeYtPO11wJQ_YoLIcH-RKlV7ZU/view?usp=sharing
Note: On the video I logged in as admin on chrome and as a user in firefox to demonstrate!!