I’ve found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page.
Steps To Reproduce
- Login
- Navigate to one of your invoices
- Upload some file and intercept the traffic
- Once you see the JSON payload like this {“id”:“abcabccabcabc”,“name”:“file-name”} modify it for this {“id”:“abcabc"><svg/onload=confirm(1)>abcabc”,“name”:“file-name”}
- Refresh the page and see that javascript will be executed