Visma Bug Bounty Program: Stored XSS in 'Notes'

2020-02-04T10:31:31
ID H1:788732
Type hackerone
Reporter anglecutter
Modified 2020-02-13T13:22:13

Description

A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note.