Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-site Scripting in Client's Name #1727

Closed
prodigysml opened this issue Oct 30, 2017 · 5 comments
Closed

Stored Cross-site Scripting in Client's Name #1727

prodigysml opened this issue Oct 30, 2017 · 5 comments
Labels

Comments

@prodigysml
Copy link

Issue

Anyone with the permission to change a client's name can use that parameter to gain arbitrary execution of javascript. Anyone who can create an invoice will be affected by this payload.

Steps to reproduce

  1. Create a client
  2. Change the client's name, first name, and last name to the following payload:
    </script><img src=x alert(1)>
  3. Go to create an invoice.
  4. Select that client. Observe an alert box has popped up.
@turbo124
Copy link
Member

What browser are testing this scenario with?

I've attempted to create the issue with Chrome Version 61.0.3163.100 (Official Build) (64-bit) and have been unable to recreate it.

@prodigysml
Copy link
Author

@turbo124 I am using Version 61.0.3163.100 (Official Build) (64-bit) too.
I just realised I missed something in the payload, can you please try this one out?
</script><img src=x onerror=alert(1)>
Sorry about that mistake. I missed adding in the event handler...

@prodigysml
Copy link
Author

@turbo124 Apologies for this inconvenience, but can you please try to select the client with the malicious payloads stored when creating the invoice? That should trigger it. If that doesn't work, Ill make a step by step PoC to ensure it is verifiable... :)

@turbo124
Copy link
Member

@prodigysml ok, i was able to recreate this now. I had to starting typing the client name for the popup to load.

@hillelcoren
Copy link
Member

Thanks for catching this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants