| Titel | Akaunting v3.1.21 Cross Site Scripting |
|---|
| Beschreibung | A Stored Cross-Site Scripting (XSS) vulnerability was identified in Akaunting v3.1.21, an open-source accounting application. The vulnerability exists in the notes field of invoice and bill documents. When a user holding at least a Manager-level role (both Manager and Admin roles hold the create-sales-invoices permission; Accountant and Customer roles do not) creates an invoice containing an HTML/JavaScript payload in the Notes field, the payload is stored in the database without sanitization and later rendered unescaped in the browser of any user who views the document. This satisfies the criteria for a Stored (Persistent) XSS attack.
https://github.com/akaunting/akaunting |
|---|
| Quelle | ⚠️ https://docs.google.com/document/d/1TFwYGdjDblEGCMM0l67PXz0HXZu_iUqWDQZavtM9t1U/edit?usp=sharing |
|---|
| Benutzer | gabriel (UID 72007) |
|---|
| Einreichung | 19.03.2026 20:05 (vor 20 Tagen) |
|---|
| Moderieren | 04.04.2026 16:29 (16 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 355338 [Akaunting bis 3.1.21 Invoice/Billing notes Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|