Visma Public: HTML-injection in PDF-export leads to LFI

ID H1:809819
Type hackerone
Reporter base_64
Modified 2020-04-06T11:44:20


The researcher was able to extract contents of files using the pdf-generator in "Yearly Financial Statements". This was done by adding an IFRAME-tag inside the companyname. Once rendered in Yearly Financial Statements, it included the file the IFRAME was pointing to. In this POC it was /etc/passwd.