Cross-site Scripting (XSS) - Stored in range-of-motion/budget


Reported on

Jun 4th 2021

✍️ Description

Stored xss using vue js

🕵️‍♂️ Proof of Concept

1. First goto your account and visit and create a transaction .
During creation put bellow xss payload in Description field and save it .
Now see xss is executed

Payload ---> {{ constructor.constructor("alert('xs222s')")() }}


💥 Impact

Stored xss allow to executed arbitary javacscript in vicitm account

Jamie Slome
2 years ago


I have reached out to the maintainers via a GitHub Issue and we will await a response from them.

Daniël validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniël submitted a
2 years ago
Daniël marked this as fixed in 0.11.1 with commit eea1bf 2 years ago
Daniël has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation