Akaunting versions 1.0.0 through 1.3.17 suffer from a cross site scripting vulnerability.
791a391fc2654ecbb529f831ea0d5c43Title: Stored XSS In akaunting compnay name alt
Affected Version: 1.0.0 - 1.3.17
Tested on: Chrome, Firefox, Opera ( Latest version )
Author: Rudra Sarkar (@rudr4_sarkar)
1. Affected "alt" attribute
2. Create account, Confirm Email Verification
3. Create Company name with "><script>alert(document.domain);</script>
4. It will redirect you to dashboard, and you will got popup
5. You will got popup ;)
Timeline:
28-09-2019: Reported to their vendor
28-09-2019: Closed as "out of topic" on github (
https://github.com/akaunting/akaunting/issues/881 ) Fix not deployed.
Thanks,
--
Thanks,
*Rudra Sarkar* | SRT | Security Researcher
@rudr4_sarkar <https://twitter.com/rudr4_sarkar>