FusionInvoice 2023-1.0 – Stored XSS (Cross-Site Scripting)

• Exploit Database
• 40 阅读

• 作者： Andrea Intilangelo
  日期： 2023-05-23
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51480/

• # Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
  # Date: 2023-05-24
  # Exploit Author: Andrea Intilangelo
  # Vendor Homepage: https://www.squarepiginteractive.com
  # Software Link: https://www.fusioninvoice.com/store
  # Version: 2023-1.0
  # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
  # CVE: CVE-2023-25439
  
  Description:
  
  A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
  execute arbitrary web scripts or HTML.
  
  Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
  possibly others) it will be triggered once page gets loaded.
  
  
  Steps to reproduce:
  
  - Click on "Expenses", or "Tasks" and add (or edit an existing) one,
  - Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
  - Click on 'Save'.
  
  Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.
  
  
  PoC Screenshots:
  
  https://imagebin.ca/v/7FOZfztkDs3I