Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system


Reported on

Mar 26th 2021

✍️ Description

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "filterer_item" Parameter

🕵️‍♂️ Proof of Concept

You can find installation instructions here:

Vulnerable Parameter: filterer_item

XSS Payload: 1</script><script>alert(9085)</script>

Once its installed sucessfully, Visit below POC link to trigger XSS:



💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

3 years ago

I'm not able to reproduce this XSS, is this still an issue?

BigProf Software marked this as fixed with commit 8555d6 2 years ago
BigProf Software has been awarded the fix bounty
to join this conversation