Cross-site Scripting (XSS) - Stored in range-of-motion/budget

Valid

Reported on

Jun 4th 2021

✍️ Description

Stored xss using vue js

🕵️‍♂️ Proof of Concept

1. First goto your account and visit https://app.budgethq.com/transactions and create a transaction .
During creation put bellow xss payload in Description field and save it .
Now see xss is executed

Payload ---> {{ constructor.constructor("alert('xs222s')")() }}

#VIDEO POC

https://drive.google.com/file/d/1fkPqCdEXGaOLryLDRe0T4mPTv3yVUhfJ/view?usp=sharing

💥 Impact

Stored xss allow to executed arbitary javacscript in vicitm account

Jamie Slome

commented 2 years ago

Admin

I have reached out to the maintainers via a GitHub Issue and we will await a response from them.

Daniël validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Daniël submitted a

patch

2 years ago

Daniël marked this as fixed in 0.11.1 with commit eea1bf 2 years ago

Daniël has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation