xss vi filename in neorazorx/facturascripts

Valid

Reported on

May 13th 2022


Description

xss using filename

Proof of Concept

1. First download this file https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert(123)%3E.jpeg in your system . Dont change the filename .
Filename like xss"'><img src=x onerror=alert(123)>.jpeg will be created in linux system . In windows its not possible .
2. upload this file to https://localhost/ListAttachedFile and save it . Now xss is executed .
Whenever any user tru to view this file then xss is executed

Impact

xss used to still victim cookie

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia
a month ago

Maintainer


I was unable to reproduce the error. The file is moved to the MyFiles folder by replacing the original name with an id, and the original name is stored in the database with the html escaped.

https://i.imgur.com/Sq1LC5Q.png

We have sent a follow up to the neorazorx/facturascripts team. We will try again in 7 days. a month ago
ranjit-git
a month ago

Researcher


Carlos Garcia validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia
a month ago

Maintainer


Thank you very much for the demonstration. I have fixed the bug and added a test to avoid regressions.

Carlos Garcia confirmed that a fix has been merged on 7882db a month ago
The fix bounty has been dropped
to join this conversation