Lucene search
Andrea Intilangelo1337DAY-ID-38728HistoryMay 23, 2023 - 12:00 a.m.
FusionInvoice 2023-1.0 - Cross-Site Scripting Vulnerability
2023-05-2300:00:00
Andrea Intilangelo
0day.today
87
fusioninvoice 2023-1.0
cross-site scripting
stored xss
sqware pig llc
cve-2023-25439
web browsers
exploit
vendor homepage
poc screenshots
0.001 Low
EPSS
Percentile
50.5%
# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.squarepiginteractive.com
# Software Link: https://www.fusioninvoice.com/store
# Version: 2023-1.0
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
# CVE: CVE-2023-25439
Description:
A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
execute arbitrary web scripts or HTML.
Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
possibly others) it will be triggered once page gets loaded.
Steps to reproduce:
- Click on "Expenses", or "Tasks" and add (or edit an existing) one,
- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
- Click on 'Save'.
Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.
PoC Screenshots:
https://imagebin.ca/v/7FOZfztkDs3I
Related
cve
cve
CVE-2023-25439
2023-05-25 20:15:09
nvd
nvd
CVE-2023-25439
2023-05-25 20:15:09
cvelist
cvelist
CVE-2023-25439
2023-05-25 00:00:00
prion
prion
Cross site scripting
2023-05-25 20:15:00
packetstorm
packetstorm
FusionInvoice 2023-1.0 Cross Site Scripting
2023-05-24 00:00:00
exploitdb
exploitdb
FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
2023-05-23 00:00:00