Akaunting versions 1.0.0 through 1.3.17 suffer from a cross site scripting vulnerability.
661fe906f5f9b39680d253d7f29470da44d6bf7c581e5ac9c67e7e76159a00baTitle: Stored XSS In akaunting compnay name alt
Affected Version: 1.0.0 - 1.3.17
Tested on: Chrome, Firefox, Opera ( Latest version )
Author: Rudra Sarkar (@rudr4_sarkar)
1. Affected "alt" attribute
2. Create account, Confirm Email Verification
3. Create Company name with "><script>alert(document.domain);</script>
4. It will redirect you to dashboard, and you will got popup
5. You will got popup ;)
Timeline:
28-09-2019: Reported to their vendor
28-09-2019: Closed as "out of topic" on github (
https://github.com/akaunting/akaunting/issues/881 ) Fix not deployed.
Thanks,
--
Thanks,
*Rudra Sarkar* | SRT | Security Researcher
@rudr4_sarkar <https://twitter.com/rudr4_sarkar>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed