Description
Current version of Firefly III Version 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in asset account name. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user visit link below.
Steps to reproduce
Add two assets accounts with names "<script>alert("account with no activity");</script>" and "<script>alert("active account");</script>".
Do some activity with active account.
Visit /reports/audit/[your accounts ids]/20190701/currentMonthEnd
See 2 alerts. (one in "Account balance of (active account)" and one in "No activity was recorded on (inactive account)").
I assume that active and inactive account XSS are different issues, due to different endpoints.
Also, XSS fired on all endpoints /reports/audit/, where asset account name is appeared.
POC Image
Extra info
Tested on Mozilla 60.4.0esr (64-bit)
The text was updated successfully, but these errors were encountered:
Description
Current version of Firefly III Version 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in asset account name. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user visit link below.
Steps to reproduce
See 2 alerts. (one in "Account balance of (active account)" and one in "No activity was recorded on (inactive account)").
I assume that active and inactive account XSS are different issues, due to different endpoints.
Also, XSS fired on all endpoints /reports/audit/, where asset account name is appeared.
POC Image

Extra info
Tested on Mozilla 60.4.0esr (64-bit)
The text was updated successfully, but these errors were encountered: