Stored XSS via upload plugin functionality in zip format in neorazorx/facturascripts

Valid

Reported on

Apr 21st 2022


Description

Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Here name parameter is vulnerable to xss. So after replacing the name with the XSS payload in the facturascripts.ini file. XSS payload will be executed after uploading the modified zip file.

Proof of Concept

  1. log in as a Normal User.
  2. Download any facturascripts plugin like (https://facturascripts.com/DownloadBuild/93/stable).
  3. Unzip it locally and modify name = '<script>alert(document.domain)</script>' in facturascripts.ini file.
  4. Zip it again and upload.
  5. XSS payload will be executed for all users.

PoC

https://drive.google.com/file/d/18NGs-gTbwJVDB9P_1NCfQGUbjT1Jv9MC/view?usp=sharing

Impact

Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
Tarun Garg modified the report
a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tarun Garg
a month ago

Researcher


@maintainer @admin, thanks for the bounty, please assign a CVE for that.

Jamie Slome
a month ago

Admin


Before we assign and publish a CVE, we will first wait for the maintainer to confirm a fix against the report 👍

We have sent a fix follow up to the neorazorx/facturascripts team. We will try again in 7 days. a month ago
Tarun Garg
a month ago

Researcher


@maintainer

Carlos Garcia confirmed that a fix has been merged on aa9f28 a month ago
The fix bounty has been dropped
Tarun Garg
a month ago

Researcher


@admin @neorazorx @maintainer as the fix is also released please assign a CVE for this vulnerability.

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation