SolidInvoice Stored Cross-Site Scripting Vulnerability in Quote Module

A stored cross-site scripting vulnerability has been identified in SolidInvoice versions through 2.4.0. The issue resides in the Quote Module, specifically within the '/quotes' file. The vulnerability is triggered by manipulating the 'name' parameter, which is the Quote title field. This lack of proper input sanitization allows authenticated users to inject malicious JavaScript that is executed when the quotes list is accessed.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that is executed in the context of the user viewing the quotes list, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log into an affected SolidInvoice version (up to 2.4.0) and navigate to the 'Create Quote' interface. Inject a script payload into the 'Quote Name' field, which is not sanitized before being saved. After saving the quote, go to the 'List Quotes' section, where the injected script will execute immediately.