Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Valid

Reported on

Dec 18th 2021

Description

Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category

Proof of Concept

  1. Login to the demo account

  2. Go to item kits , edit any item and add payload in barcode field and click save

  3. payload "><iMg SrC="x" oNeRRor="alert(1);">

  4. poc 1 https://ibb.co/ZJZLKdQ

  5. poc 2 https://ibb.co/D4x2jSf

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the opensourcepos team within 24 hours. a year ago
Asura-N modified the report
a year ago
We have contacted a member of the opensourcepos team and are waiting to hear back a year ago
We have sent a follow up to the opensourcepos team. We will try again in 7 days. a year ago
jekkos
a year ago

Maintainer

Can you check if this stil works on dev.opensourcepos.org we have added some xss mitigations in that version and will release this soon.

jekkos
a year ago

Maintainer

I tried this on dev and it does not work

jekkos validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Asura-N
a year ago

Researcher

hi @jekkos it is still working with same payload on https://dev.opensourcepos.org/item_kits both barcode and name fields

Thanks @Asura-N

jekkos
a year ago

Maintainer

I made a fix for this in master branch.

jekkos
a year ago

Maintainer

https://github.com/opensourcepos/opensourcepos/commit/9331d823132c268c38d77690223e5b75cb498fe9

jekkos marked this as fixed in 3.3.7 with commit 9331d8 a year ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation