Description
Current version of Firefly III Version 4.7.17.3 is vulnerable to multiple stored XSS due to lack of filtration of user-supplied data in transaction description field and in asset account name. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user visit links below.
Steps to reproduce
Add 2 asset accounts with names "<script>alert("XSS in source asset account")</script>",
"<script>alert("XSS in destination asset account")</script>"
Add new transaction with description "<script>alert("XSS in transaction description")</script>". You can add new deposit or withdrawal or transfer.
Visit
/transactions/convert/deposit/[id of your transaction]
/transactions/convert/withdrawal/[id of your transaction]
/transactions/convert/transfer/[id of your transaction]
See 5 alerts (one description alert, two source account alerts, two destination account alerts).
**POC image
** Extra info
Tested on Mozilla 60.4.0esr (64-bit)
The text was updated successfully, but these errors were encountered:
JC5
added
bug
Verified and replicated bugs and issues.
fixed
Bugs that are fixed (in a coming release).
labels
Aug 2, 2019
Description
Current version of Firefly III Version 4.7.17.3 is vulnerable to multiple stored XSS due to lack of filtration of user-supplied data in transaction description field and in asset account name. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user visit links below.
Steps to reproduce
"<script>alert("XSS in destination asset account")</script>"
See 5 alerts (one description alert, two source account alerts, two destination account alerts).

**POC image
**
Extra info
Tested on Mozilla 60.4.0esr (64-bit)
The text was updated successfully, but these errors were encountered: