Cross-site scripting - Reflected XSS caused by error logs in neorazorx/facturascripts in neorazorx/facturascripts


Reported on

Jun 4th 2022


There are two fields that can insert the XSS payload by the error log.

  1., the codbalance field
  2., the tipoidfiscal field in Fiscal Id

Both fields require 1 and 25 numbers or letters, no spaces, accents or any other character.. So we can not store the payload, but we can trigger a reflected XSS via the error log.

Proof of Concept

POST /facturascripts/EditSettings HTTP/1.1
Content-Disposition: form-data; name="action"

Content-Disposition: form-data; name="activetab"

Content-Disposition: form-data; name="code"

Content-Disposition: form-data; name="multireqtoken"

Content-Disposition: form-data; name="tipoidfiscal"

Content-Disposition: form-data; name="codeid"



This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago
i0hex modified the report
a year ago
i0hex modified the report
a year ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago
i0hex modified the report
a year ago
Carlos Garcia validated this vulnerability a year ago
i0hex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia marked this as fixed in 2022.1 with commit 7b4ddb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


@admin Can you assign CVE?

Jamie Slome
a year ago


Sorted 👍

to join this conversation