Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Valid

Reported on

Dec 18th 2021


Description

Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category

Proof of Concept

  1. Login to the demo account

  2. Go to item kits , edit any item and add payload in barcode field and click save

  3. payload "><iMg SrC="x" oNeRRor="alert(1);">

  4. poc 1 https://ibb.co/ZJZLKdQ

  5. poc 2 https://ibb.co/D4x2jSf

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the opensourcepos team within 24 hours. 5 months ago
Asura-N modified the report
5 months ago
We have contacted a member of the opensourcepos team and are waiting to hear back 5 months ago
We have sent a follow up to the opensourcepos team. We will try again in 7 days. 5 months ago
jekkos
5 months ago

Can you check if this stil works on dev.opensourcepos.org we have added some xss mitigations in that version and will release this soon.

jekkos
5 months ago

I tried this on dev and it does not work

jekkos validated this vulnerability 5 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Asura-N
5 months ago

Researcher


hi @jekkos it is still working with same payload on https://dev.opensourcepos.org/item_kits both barcode and name fields

Thanks @Asura-N

jekkos
a month ago

I made a fix for this in master branch.

jekkos
a month ago

https://github.com/opensourcepos/opensourcepos/commit/9331d823132c268c38d77690223e5b75cb498fe9

jekkos confirmed that a fix has been merged on 9331d8 a month ago
jekkos has been awarded the fix bounty
to join this conversation