제출 #850787: crater-invoice crater 6.0.6 XSS정보

제목crater-invoice crater 6.0.6 XSS
설명Stored XSS via Unsanitized Invoice Notes in Customer Portal ### Summary Crater's invoice creation endpoint accepts a `notes` field with no HTML validation or sanitization. The value is stored verbatim and rendered unescaped in the authenticated customer portal (`v-html`) and in PDF Blade templates (`{!! !!}`). Any authenticated company user with the `create-invoice` or `edit-invoice` Bouncer ability can store HTML in invoice notes and cause it to execute as JavaScript in any customer's browser when they view that invoice. ### Details The vulnerability spans three components: Input validation: `app/Http/Requests/InvoicesRequest.php` has no rule for the `notes` field. Processing: `app/Traits/GeneratesPdfTrait.php:168`, `getFormattedString()` strips empty tags only; it does not strip script or event-handler tags. Sink 1 (customer portal): `resources/scripts/components/InvoiceInformationCard.vue:58` ```vue <span v-html="invoice.formatted_notes"></span> ``` Vue's `v-html` directive inserts raw HTML into the DOM, bypassing Vue's default XSS protections. Sink 2 (PDF templates): `resources/views/app/pdf/invoice/invoice2.blade.php:445` and `invoice3.blade.php:381` ```blade {!! $notes !!} ``` Laravel's unescaped output directive renders the notes verbatim. The `create-invoice` and `edit-invoice` abilities are standard assignable permissions in Crater's role system. A super admin can delegate them to lower-privilege roles such as a "Billing Clerk", so exploitation is not limited to full administrators. Affected versions: all versions (verified on HEAD as of 2026-05-15).
원천⚠️ https://github.com/crater-invoice-inc/crater/issues/1327
사용자
 geochen (UID 78995)
제출2026. 06. 07. AM 05:10 (29 날 ago)
모더레이션2026. 07. 05. PM 08:16 (29 days later)
상태수락
VulDB 항목376385 [crater-invoice-inc crater 까지 6.0.6 Invoice Note InvoicesRequest.php getFormattedString notes 크로스 사이트 스크립팅]
포인트들20

Want to know what is going to be exploited?

We predict KEV entries!