GHSA-4v7v-7v7r-3r5h

Описание

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

Details

When an administrator views the History tab of that specific note, the script executes in their browser session.

PoC

1. Log in as a regular user.

2. Open "Sales"=>"Customers"=> "Delivery Notes"

   

3. Chose one of the customer or create the new one.

4. Open "Delivery notes"

   

5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with any value and save.

   

6. In the Observations field, enter the malicious JavaScript and save it again. 7. Now we have record in "History" tab. 8. Logout and login as admin. Next go to the "History" tab with malicious code:

Result: Upon opening the history record, the onerror event triggers, executing the JavaScript and displaying an alert box with the application's origin.

Impact

Change admin password via XSS: Admin password was changed

This vulnerability results in a Critical Full Account Takeover, allowing any user with note-editing permissions to seize control of the admin account. It successfully bypasses CSRF protections and exploits the lack of "current password" verification during credential changes. Once compromised, the attacker gains total access to the system's management, sensitive financial data, and user configurations.

Technical requirements & Complexity

The attack requires prior technical knowledge of the internal API structure (field names and required values), which can be obtained by a legitimate user through browser developer tools. While it requires the target's code (e.g., admin), this is a common default value in most installations.