boxbilling

vulnerability cross site scripting
severity 6.8
language php
registry other

✍️ Description

XSS is possible via support ticket reply functionality for admin. It can happen if a client registers with his name as the XSS payload and admin replies with the default greetings. Otherwise admin have to manually enter the payload in reply form.

🕵️‍♂️ Proof of Concept

  1. Register new client with first name as xss payload [click](javascript://%0dalert(1))
  2. Create a support ticket
  3. From admin panel, visit the support ticket page and reply with the default message in the reply form.
  4. Click on the link from admin's message and XSS will fire.

POC video: https://drive.google.com/file/d/1aCMb4ETmGVzipBlaUX6tFwpzF6mKlW7e/view

💥 Impact

This vulnerability is capable of executing arbitrary scripts.

References