| शीर्षक | crater-invoice crater 6.0.6 XSS |
|---|
| विवरण | Stored XSS via Unsanitized Invoice Notes in Customer Portal
### Summary
Crater's invoice creation endpoint accepts a `notes` field with no HTML validation or sanitization. The value is stored verbatim and rendered unescaped in the authenticated customer portal (`v-html`) and in PDF Blade templates (`{!! !!}`). Any authenticated company user with the `create-invoice` or `edit-invoice` Bouncer ability can store HTML in invoice notes and cause it to execute as JavaScript in any customer's browser when they view that invoice.
### Details
The vulnerability spans three components:
Input validation: `app/Http/Requests/InvoicesRequest.php` has no rule for the `notes` field.
Processing: `app/Traits/GeneratesPdfTrait.php:168`, `getFormattedString()` strips empty tags only; it does not strip script or event-handler tags.
Sink 1 (customer portal): `resources/scripts/components/InvoiceInformationCard.vue:58`
```vue
<span v-html="invoice.formatted_notes"></span>
```
Vue's `v-html` directive inserts raw HTML into the DOM, bypassing Vue's default XSS protections.
Sink 2 (PDF templates): `resources/views/app/pdf/invoice/invoice2.blade.php:445` and `invoice3.blade.php:381`
```blade
{!! $notes !!}
```
Laravel's unescaped output directive renders the notes verbatim.
The `create-invoice` and `edit-invoice` abilities are standard assignable permissions in Crater's role system. A super admin can delegate them to lower-privilege roles such as a "Billing Clerk", so exploitation is not limited to full administrators.
Affected versions: all versions (verified on HEAD as of 2026-05-15). |
|---|
| स्रोत | ⚠️ https://github.com/crater-invoice-inc/crater/issues/1327 |
|---|
| उपयोगकर्ता | geochen (UID 78995) |
|---|
| सबमिशन | 07/06/2026 05:10 AM (29 दिन पहले) |
|---|
| संयम | 05/07/2026 08:16 PM (29 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 376385 [crater-invoice-inc crater तक 6.0.6 Invoice Note InvoicesRequest.php getFormattedString notes क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|