| 제목 | crater-invoice crater 6.0.6 XSS |
|---|
| 설명 | Stored XSS via Unsanitized Invoice Notes in Customer Portal
### Summary
Crater's invoice creation endpoint accepts a `notes` field with no HTML validation or sanitization. The value is stored verbatim and rendered unescaped in the authenticated customer portal (`v-html`) and in PDF Blade templates (`{!! !!}`). Any authenticated company user with the `create-invoice` or `edit-invoice` Bouncer ability can store HTML in invoice notes and cause it to execute as JavaScript in any customer's browser when they view that invoice.
### Details
The vulnerability spans three components:
Input validation: `app/Http/Requests/InvoicesRequest.php` has no rule for the `notes` field.
Processing: `app/Traits/GeneratesPdfTrait.php:168`, `getFormattedString()` strips empty tags only; it does not strip script or event-handler tags.
Sink 1 (customer portal): `resources/scripts/components/InvoiceInformationCard.vue:58`
```vue
<span v-html="invoice.formatted_notes"></span>
```
Vue's `v-html` directive inserts raw HTML into the DOM, bypassing Vue's default XSS protections.
Sink 2 (PDF templates): `resources/views/app/pdf/invoice/invoice2.blade.php:445` and `invoice3.blade.php:381`
```blade
{!! $notes !!}
```
Laravel's unescaped output directive renders the notes verbatim.
The `create-invoice` and `edit-invoice` abilities are standard assignable permissions in Crater's role system. A super admin can delegate them to lower-privilege roles such as a "Billing Clerk", so exploitation is not limited to full administrators.
Affected versions: all versions (verified on HEAD as of 2026-05-15). |
|---|
| 원천 | ⚠️ https://github.com/crater-invoice-inc/crater/issues/1327 |
|---|
| 사용자 | geochen (UID 78995) |
|---|
| 제출 | 2026. 06. 07. AM 05:10 (29 날 ago) |
|---|
| 모더레이션 | 2026. 07. 05. PM 08:16 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376385 [crater-invoice-inc crater 까지 6.0.6 Invoice Note InvoicesRequest.php getFormattedString notes 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|