xss vi filename in neorazorx/facturascripts

Valid

Reported on

May 13th 2022

Description

xss using filename

Proof of Concept

1. First download this file https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert(123)%3E.jpeg in your system . Dont change the filename .
Filename like xss"'><img src=x onerror=alert(123)>.jpeg will be created in linux system . In windows its not possible .
2. upload this file to https://localhost/ListAttachedFile and save it . Now xss is executed .
Whenever any user tru to view this file then xss is executed

Impact

xss used to still victim cookie

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia

commented a year ago

Maintainer

I was unable to reproduce the error. The file is moved to the MyFiles folder by replacing the original name with an id, and the original name is stored in the database with the html escaped.

https://i.imgur.com/Sq1LC5Q.png

We have sent a follow up to the neorazorx/facturascripts team. We will try again in 7 days. a year ago

ranjit-git

commented a year ago

Researcher

@maintainer VIDEO POC =============== https://drive.google.com/file/d/1osDlRLN2xQqUQBQjTX1mBpbmuJs0WY1v/view?usp=sharing

Carlos Garcia validated this vulnerability a year ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia

commented a year ago

Maintainer

Thank you very much for the demonstration. I have fixed the bug and added a test to avoid regressions.

Carlos Garcia marked this as fixed in 2022.08 with commit 7882db a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia

commented a year ago

Maintainer

I was unable to reproduce the error. The file is moved to the MyFiles folder by replacing the original name with an id, and the original name is stored in the database with the html escaped.

https://i.imgur.com/Sq1LC5Q.png

We have sent a follow up to the neorazorx/facturascripts team. We will try again in 7 days. a year ago

ranjit-git

commented a year ago

Researcher

@maintainer VIDEO POC =============== https://drive.google.com/file/d/1osDlRLN2xQqUQBQjTX1mBpbmuJs0WY1v/view?usp=sharing

Carlos Garcia validated this vulnerability a year ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia

commented a year ago

Maintainer

Thank you very much for the demonstration. I have fixed the bug and added a test to avoid regressions.

Carlos Garcia marked this as fixed in 2022.08 with commit 7882db a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation