Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jun 28th 2021

✍️ Description

Stored xss bug using a xss payload in the full name field, other fields like address, city, state will work as well.

🕵️‍♂️ Proof of Concept

Create a new user with the following payload "><img src=x onerror=alert('xss-ribersec')> in one of the fields i mentioned above; full name, address etc... alt text browse to you're profile and see the xss popup. https://your_own_url/online-invoicing-system-4.9/app/membership_profile.php alt text If you want to alert the cookies simply change the payload to "><img src=x onerror=alert(document.cookie)> alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥References

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 2 years ago
Jamie Slome
2 years ago

Admin

@maintainer - any thoughts here?

BigProf Software validated this vulnerability 2 years ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf
2 years ago

Maintainer

I wouldn't classify this as 'high severity' as the app admin has no motive to XSS his app users (and he can do much more damage in many other ways if he really wants since he's the system admin) .. So, this vulnerability is ineffective without combining it with a CSRF attack. Anyway, thanks for reporting it ... I'll make a fix now.

BigProf Software marked this as fixed with commit 7167fb 2 years ago
BigProf Software has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation