Cross-site Scripting (XSS) in Error Page in neorazorx/facturascripts

Valid

Reported on

Apr 29th 2022

Description

The is an XSS could be trigger via error page through invalid file name.

1.Login as Admin.

2.Upload new file with name <img src=x onerror=alert(origin)>.svg

3.Save -> Fatal Error Page show up and the xss will be trigger.

This vulnerability is capable of XSS

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia validated this vulnerability a year ago

dungtuanha has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia marked this as fixed in 2022.06 with commit a5e64b a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation