New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross-site Scripting in Client's Name #1727
Comments
|
What browser are testing this scenario with? I've attempted to create the issue with Chrome Version 61.0.3163.100 (Official Build) (64-bit) and have been unable to recreate it. |
|
@turbo124 I am using Version 61.0.3163.100 (Official Build) (64-bit) too. |
|
@turbo124 Apologies for this inconvenience, but can you please try to select the client with the malicious payloads stored when creating the invoice? That should trigger it. If that doesn't work, Ill make a step by step PoC to ensure it is verifiable... :) |
|
@prodigysml ok, i was able to recreate this now. I had to starting typing the client name for the popup to load. |
|
Thanks for catching this! |
Issue
Anyone with the permission to change a client's name can use that parameter to gain arbitrary execution of javascript. Anyone who can create an invoice will be affected by this payload.
Steps to reproduce
</script><img src=x alert(1)>The text was updated successfully, but these errors were encountered: