Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos

Valid

Reported on

Dec 18th 2021


Description

Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category

Proof of Concept

  1. Login to the demo account

  2. Go to item kits , edit any item and add payload in barcode field and click save

  3. payload "><iMg SrC="x" oNeRRor="alert(1);">

  4. poc 1 https://ibb.co/ZJZLKdQ

  5. poc 2 https://ibb.co/D4x2jSf

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the opensourcepos team within 24 hours. 2 years ago
Asura-N modified the report
2 years ago
We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
We have sent a follow up to the opensourcepos team. We will try again in 4 days. 2 years ago
jekkos
2 years ago

Maintainer


Can you check if this stil works on dev.opensourcepos.org we have added some xss mitigations in that version and will release this soon.

jekkos
2 years ago

Maintainer


I tried this on dev and it does not work

jekkos validated this vulnerability 2 years ago
asura-n has been awarded the disclosure bounty
The fix bounty is now up for grabs
Asura-N
2 years ago

Researcher


hi @jekkos it is still working with same payload on https://dev.opensourcepos.org/item_kits both barcode and name fields

Thanks @Asura-N

jekkos
2 years ago

Maintainer


I made a fix for this in master branch.

jekkos
2 years ago

Maintainer


https://github.com/opensourcepos/opensourcepos/commit/9331d823132c268c38d77690223e5b75cb498fe9

jekkos marked this as fixed in 3.3.7 with commit 9331d8 2 years ago
jekkos has been awarded the fix bounty
to join this conversation