Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Reported on Jul 5th 2021

✍️ Description

I found a stored XSS in your project which is lead by adding anonymous group name.

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Create a group.
2. Enter group"'><img src=x onerror=alert()> in the group name.
3. Save and visit view groups.
4. Click on Anonymous group you just created.

💥 Impact

This vulnerability is capable of stored XSS

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 21 days ago
BigProf Software validated this vulnerability 16 days ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 953bb2 16 days ago
BigProf Software has been awarded the fix bounty