SolidInvoice Cross-Site Scripting Vulnerability in Client Functionality

A stored cross-site scripting vulnerability has been identified in SolidInvoice versions 2.3.7 and 2.3.8. This issue allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of users viewing the 'Clients' page. In a multi-user environment, such as one with several administrators, this could result in session hijacking, theft of credentials or tokens, phishing or social engineering attacks, and unauthorized actions performed on behalf of another user.

Impact

Exploitation of this vulnerability allows for the injection of JavaScript that is executed in the context of other authenticated users, potentially leading to session hijacking, credential or token theft, phishing or social engineering attacks, and unauthorized actions on behalf of another user.

Reproduction

To reproduce this vulnerability, navigate to 'Clients' and select 'Add Client'. Enter a payload in the 'Name' field, such as a script tag including JavaScript code, such as a prompt command. After filling in the required fields and saving the client, return to the 'List Clients' page to trigger the execution of the injected script.

Remediation

Users are advised to update SolidInvoice to version 2.3.8 or later.