Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

ID H1:808672
Type hackerone
Reporter muon4
Modified 2020-03-26T09:48:42


I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page.

Steps To Reproduce * Login * Navigate to one of your invoices * Upload some file and intercept the traffic * Once you see the JSON payload like this {"id":"abcabccabcabc","name":"file-name"} modify it for this {"id":"abcabc\"><svg/onload=confirm(1)>abcabc","name":"file-name"} * Refresh the page and see that javascript will be executed