| タイトル | Akaunting v3.1.21 Cross Site Scripting |
|---|
| 説明 | A Stored Cross-Site Scripting (XSS) vulnerability was identified in Akaunting v3.1.21, an open-source accounting application. The vulnerability exists in the notes field of invoice and bill documents. When a user holding at least a Manager-level role (both Manager and Admin roles hold the create-sales-invoices permission; Accountant and Customer roles do not) creates an invoice containing an HTML/JavaScript payload in the Notes field, the payload is stored in the database without sanitization and later rendered unescaped in the browser of any user who views the document. This satisfies the criteria for a Stored (Persistent) XSS attack.
https://github.com/akaunting/akaunting |
|---|
| ソース | ⚠️ https://docs.google.com/document/d/1TFwYGdjDblEGCMM0l67PXz0HXZu_iUqWDQZavtM9t1U/edit?usp=sharing |
|---|
| ユーザー | gabriel (UID 72007) |
|---|
| 送信 | 2026年03月19日 20:05 (26 日 ago) |
|---|
| モデレーション | 2026年04月04日 16:29 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 355338 [Akaunting 迄 3.1.21 Invoice/Billing notes クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|