Visma Bug Bounty Program: Stored XSS in 'Notes'

ID H1:788732
Type hackerone
Reporter anglecutter
Modified 2020-02-13T13:22:13


A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note.