Store XSS in title parameter executing at EditUser Page & EditProducto page in neorazorx/facturascripts

Valid

Reported on

Apr 20th 2022


Description

Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Proof of Concept

  1. Login as Normal user.
  2. Click on Options and select user.
  3. Set title as <script>alert(document.domain)</script> and save. It will store the XSS payload.
  4. log in to any account, i.e. admin.
  5. Click on the top right corner i.e EditUser executing xss.

Video PoC

EditUser- https://drive.google.com/file/d/1zHI5GNU7JFUL5h6e64tnUFg4lXzqECRU/view?usp=sharing EditProducto- https://drive.google.com/file/d/1Z2fcc6DF-4eFpB1DAok3XMrtjUtYWo5M/view?usp=sharing

Impact

Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
Tarun Garg modified the report
a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
Carlos Garcia confirmed that a fix has been merged on b3e752 a month ago
The fix bounty has been dropped
Tarun Garg
a month ago

Researcher


Thank you for the reward, is there any CVE number that will also be assigned?

Tarun Garg
a month ago

Researcher


@neorazorx @admin Please check if CVE can be assigned

Jamie Slome
a month ago

Admin


Sure, we can assign a CVE here, we first require the go-ahead from the maintainer.

@maintainer - are you happy for us to assign and publish a CVE for this report?

Tarun Garg
a month ago

Researcher


@maintainer

Tarun Garg
a month ago

Researcher


@admin

Tarun Garg
a month ago

Researcher


@admin @maintainer, as the fix is already released, can you assign a CVE here

Jamie Slome
a month ago

Admin


Sorted 👍

Tarun Garg
a month ago

Researcher


Thank you

to join this conversation