Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

I’ve found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page.

Steps To Reproduce

• Login
• Navigate to one of your invoices
• Upload some file and intercept the traffic
• Once you see the JSON payload like this {“id”:“abcabccabcabc”,“name”:“file-name”} modify it for this {“id”:“abcabc"><svg/onload=confirm(1)>abcabc”,“name”:“file-name”}
• Refresh the page and see that javascript will be executed