Share
## https://sploitus.com/exploit?id=PACKETSTORM:172556
# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)  
# Date: 2023-05-24  
# Exploit Author: Andrea Intilangelo  
# Vendor Homepage: https://www.squarepiginteractive.com  
# Software Link: https://www.fusioninvoice.com/store  
# Version: 2023-1.0  
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)  
# CVE: CVE-2023-25439  
  
Description:  
  
A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to  
execute arbitrary web scripts or HTML.  
  
Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and  
possibly others) it will be triggered once page gets loaded.  
  
  
Steps to reproduce:  
  
- Click on "Expenses", or "Tasks" and add (or edit an existing) one,  
- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),  
- Click on 'Save'.  
  
Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.  
  
  
Timeline:  
  
2023-01-29: Vulnerability discovered  
2023-01-29: Vendor contacted  
2023-02-01: No reply, vendor contacted for 2nd time  
2023-02-02: Request for CVE reservation  
2023-04-25: Assigned CVE number CVE-2023-25439  
2023-04-27: No reply, vendor contacted for 3rd time  
2023-05-15: No reply, vendor contacted for last time  
2023-05-24: Public disclosure  
  
  
PoC Screenshots:  
  
https://imagebin.ca/v/7FOZfztkDs3I