提交 #850787: crater-invoice crater 6.0.6 XSS信息

标题crater-invoice crater 6.0.6 XSS
描述Stored XSS via Unsanitized Invoice Notes in Customer Portal ### Summary Crater's invoice creation endpoint accepts a `notes` field with no HTML validation or sanitization. The value is stored verbatim and rendered unescaped in the authenticated customer portal (`v-html`) and in PDF Blade templates (`{!! !!}`). Any authenticated company user with the `create-invoice` or `edit-invoice` Bouncer ability can store HTML in invoice notes and cause it to execute as JavaScript in any customer's browser when they view that invoice. ### Details The vulnerability spans three components: Input validation: `app/Http/Requests/InvoicesRequest.php` has no rule for the `notes` field. Processing: `app/Traits/GeneratesPdfTrait.php:168`, `getFormattedString()` strips empty tags only; it does not strip script or event-handler tags. Sink 1 (customer portal): `resources/scripts/components/InvoiceInformationCard.vue:58` ```vue <span v-html="invoice.formatted_notes"></span> ``` Vue's `v-html` directive inserts raw HTML into the DOM, bypassing Vue's default XSS protections. Sink 2 (PDF templates): `resources/views/app/pdf/invoice/invoice2.blade.php:445` and `invoice3.blade.php:381` ```blade {!! $notes !!} ``` Laravel's unescaped output directive renders the notes verbatim. The `create-invoice` and `edit-invoice` abilities are standard assignable permissions in Crater's role system. A super admin can delegate them to lower-privilege roles such as a "Billing Clerk", so exploitation is not limited to full administrators. Affected versions: all versions (verified on HEAD as of 2026-05-15).
来源⚠️ https://github.com/crater-invoice-inc/crater/issues/1327
用户
 geochen (UID 78995)
提交2026-06-07 05時10分 (29 日前)
管理2026-07-05 20時16分 (29 days later)
状态已接受
VulDB条目376385 [crater-invoice-inc crater 直到 6.0.6 Invoice Note InvoicesRequest.php getFormattedString notes 跨网站脚本]
积分20

Might our Artificial Intelligence support you?

Check our Alexa App!