Akaunting 1.3.17 Cross Site Scripting

Akaunting versions 1.0.0 through 1.3.17 suffer from a cross site scripting vulnerability.

MD5 | 791a391fc2654ecbb529f831ea0d5c43

Title: Stored XSS In akaunting compnay name alt
Affected Version: 1.0.0 - 1.3.17
Tested on: Chrome, Firefox, Opera ( Latest version )
Author: Rudra Sarkar (@rudr4_sarkar)

1. Affected "alt" attribute
2. Create account, Confirm Email Verification
3. Create Company name with "><script>alert(document.domain);</script>
4. It will redirect you to dashboard, and you will got popup
5. You will got popup ;)

28-09-2019: Reported to their vendor
28-09-2019: Closed as "out of topic" on github (
https://github.com/akaunting/akaunting/issues/881 ) Fix not deployed.

*Rudra Sarkar* | SRT | Security Researcher
@rudr4_sarkar <https://twitter.com/rudr4_sarkar>

Related Posts