Reflected XSS on conversion filter function in beancount/fava
Jul 28th 2022
Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.
Proof of Concept
- Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/income_statement/.
- Filter on conversion type and add payload on the result.
- Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.
- "><img src=a onerror=alert(document.domain)>