Stored XSS in neorazorx/facturascripts
May 18th 2022
Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button.
Proof of Concept
1.Create a new non-admin account
2.Login and goto
3.Add new user with website link to
4.Save user and navigate to
http://localhost/invoices/ and click on the website link of newly created user by using the scrolling middle mouse button.
I see that there is a fix with this xss vulnerability by clicking the left mouse button here (
https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/) but in this report, I can trick it by clicking the middle mouse button.
This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.
Hi @maintainer, can you please review my report? Thanks!
This bug was fixed here https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/
This bug is not the same as in the other report
https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ which use the left button mouse to click on the link.
Although the bug is stored XSS at the same place, the way to exploit it is different.
In my report, to exploit the bug, you must click on the link by using the middle scrolling button mouse. I have tested it on the newest release which is
2022.08 and it is still vulnerable.
You can read the reference in my report to know more about this technique, it's a type of bypass your fix in the previous report. (http://blog.dclabs.com.br/2021/05/the-curious-case-of-xss-and-mouse.html)
I hope that you will review it again, thank you!
I don't know how to proceed in these cases. It won't let me mark as valid anymore.
Hi @admin, can you help the maintainer to edit the status of this report from duplicate to valid as he mentioned in the above comment?
@neorazorx - I have re-opened the report for you 👍 Feel free to update the report as you see fit :)