| Título | crater-invoice crater 6.0.6 XSS |
|---|
| Descripción | Stored XSS via Unsanitized Invoice Notes in Customer Portal
### Summary
Crater's invoice creation endpoint accepts a `notes` field with no HTML validation or sanitization. The value is stored verbatim and rendered unescaped in the authenticated customer portal (`v-html`) and in PDF Blade templates (`{!! !!}`). Any authenticated company user with the `create-invoice` or `edit-invoice` Bouncer ability can store HTML in invoice notes and cause it to execute as JavaScript in any customer's browser when they view that invoice.
### Details
The vulnerability spans three components:
Input validation: `app/Http/Requests/InvoicesRequest.php` has no rule for the `notes` field.
Processing: `app/Traits/GeneratesPdfTrait.php:168`, `getFormattedString()` strips empty tags only; it does not strip script or event-handler tags.
Sink 1 (customer portal): `resources/scripts/components/InvoiceInformationCard.vue:58`
```vue
<span v-html="invoice.formatted_notes"></span>
```
Vue's `v-html` directive inserts raw HTML into the DOM, bypassing Vue's default XSS protections.
Sink 2 (PDF templates): `resources/views/app/pdf/invoice/invoice2.blade.php:445` and `invoice3.blade.php:381`
```blade
{!! $notes !!}
```
Laravel's unescaped output directive renders the notes verbatim.
The `create-invoice` and `edit-invoice` abilities are standard assignable permissions in Crater's role system. A super admin can delegate them to lower-privilege roles such as a "Billing Clerk", so exploitation is not limited to full administrators.
Affected versions: all versions (verified on HEAD as of 2026-05-15). |
|---|
| Fuente | ⚠️ https://github.com/crater-invoice-inc/crater/issues/1327 |
|---|
| Usuario | geochen (UID 78995) |
|---|
| Sumisión | 2026-06-07 05:10 (hace 29 días) |
|---|
| Moderación | 2026-07-05 20:16 (29 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 376385 [crater-invoice-inc crater hasta 6.0.6 Invoice Note InvoicesRequest.php getFormattedString notes secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|