timschofield webERP Cross-Site Scripting Vulnerability in Confirm Dispatch and Invoice Page

A cross-site scripting (XSS) vulnerability has been identified in timschofield webERP versions up to 5.0.0.rc+13. The issue resides in the Confirm Dispatch and Invoice Page, specifically within the ConfirmDispatch_Invoice.php file. The vulnerability is triggered by manipulating the Narrative argument, allowing remote attackers to inject malicious scripts. This exploitation requires user interaction, as the injected script is executed when a user with the appropriate permissions accesses the page.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, a user with the Inquiries/Order Entry security role can inject scripts through the Narrative field while creating an order. Once the order is saved, the script executes when the Confirm Dispatch and Invoice page is accessed. This can be done by sending a crafted URL to a system administrator, who unknowingly executes the script by opening the link.

Remediation

Users are advised to update to the patched version of webERP, which is available on the vendor's GitHub repository.