Reflected Xss using url based payload in neorazorx/facturascripts
Valid
Reported on
May 8th 2022
Description
Hi there i found that url parameter is not verified by server so an attacker can use javascript schema to run xss on user's browser
Proof of Concept
- Visit this page http://localhost/invoices/EditPageOption?code=ListProducto-new&url=javascript:prompt(2)
- Click on back button
PoC:-
https://youtu.be/l1uHfNa2p58
Impact
Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser
We are processing your report and will contact the
neorazorx/facturascripts
team within 24 hours.
a year ago
Distorted_Hacker modified the report
a year ago
Distorted_Hacker modified the report
a year ago
We have contacted a member of the
neorazorx/facturascripts
team and are waiting to hear back
a year ago
The researcher's credibility has increased: +7
to join this conversation