Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
Apr 19th 2021
XSS is possible via support ticket reply functionality for admin. It can happen if a client registers with his name as the XSS payload and admin replies with the default greetings. Otherwise admin have to manually enter the payload in reply form.
🕵️♂️ Proof of Concept
- Register new client with first name as xss payload
- Create a support ticket
- From admin panel, visit the support ticket page and reply with the default message in the reply form.
- Click on the link from admin's message and XSS will fire.
POC video: https://drive.google.com/file/d/1aCMb4ETmGVzipBlaUX6tFwpzF6mKlW7e/view
This vulnerability is capable of executing arbitrary scripts.