FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

vendor:

FusionInvoice

by:

Andrea Intilangelo

6.1

CVSS

MEDIUM

Stored XSS

CWE

Product Name: FusionInvoice

Affected Version From: 2023-1.0

Affected Version To: 2023-1.0

Patch Exists: NO

Related CWE: CVE-2023-25439

CPE: cpe:2.3:a:sqware_pig:fusioninvoice:2023-1.0:*:*:*:*:*:*:*

Metasploit:

Other Scripts:

Platforms Tested: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)

2023

FusionInvoice 2023-1.0 – Stored XSS (Cross-Site Scripting)

A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 allows an attacker to execute arbitrary web scripts or HTML by injecting persistent javascript code inside the title and/or description while creating a task/expense/project.

Mitigation:

Apply a patch or update to the latest version of FusionInvoice.

Source

Exploit-DB raw data:

# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
# Date: 2023-05-24
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.squarepiginteractive.com
# Software Link: https://www.fusioninvoice.com/store
# Version: 2023-1.0
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
# CVE: CVE-2023-25439

Description:

A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
execute arbitrary web scripts or HTML.

Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
possibly others) it will be triggered once page gets loaded.


Steps to reproduce:

- Click on "Expenses", or "Tasks" and add (or edit an existing) one,
- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
- Click on 'Save'.

Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.


PoC Screenshots:

https://imagebin.ca/v/7FOZfztkDs3I