Akaunting Cross-Site Scripting Vulnerability in Reports Component

A cross-site scripting (XSS) vulnerability has been identified in Akaunting version 3.1.18, within the reports component located at '/common/reports'. This vulnerability allows authenticated attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'name' parameter. The issue arises from insufficient sanitization of user input, enabling the injection of malicious links that can redirect users.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into an affected Akaunting account and navigate to the '/common/reports' section. Once there, edit the name field of a report by inserting a hyperlink, such as one pointing to Google. After saving the changes, clicking on the linked text will redirect to the specified URL, demonstrating the successful execution of the injected script.