0

[webapps] FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

 11 months ago
source link: https://www.exploit-db.com/exploits/51480
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

EDB-ID:

51480

EDB Verified:

Platform:

Multiple

Date:

2023-05-23

Vulnerable App:

# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
# Date: 2023-05-24
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.squarepiginteractive.com
# Software Link: https://www.fusioninvoice.com/store
# Version: 2023-1.0
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
# CVE: CVE-2023-25439

Description:

A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
execute arbitrary web scripts or HTML.

Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
possibly others) it will be triggered once page gets loaded.


Steps to reproduce:

- Click on "Expenses", or "Tasks" and add (or edit an existing) one,
- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
- Click on 'Save'.

Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.


PoC Screenshots:

https://imagebin.ca/v/7FOZfztkDs3I

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK