Invoice Ninja Stored Cross-Site Scripting Vulnerability in Line Item Descriptions

A stored cross-site scripting vulnerability has been identified in Invoice Ninja versions prior to 5.13.4. The issue arises in the line item description field, which bypasses the application's XSS denylist filter. This allows for the execution of XSS payloads when invoices are viewed in the PDF preview or client portal. The vulnerability exists because the line item descriptions were not properly sanitized before rendering.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the invoice. This could lead to session hijacking, account takeover, or data exfiltration.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and create or edit an invoice. In the line item description, enter a script payload, such as an image tag with an 'onerror' event. After saving the invoice, the XSS payload will execute when the invoice is previewed.

Remediation

Users can update to Invoice Ninja version 5.13.4 or later, where this vulnerability has been fixed by adding the necessary sanitization to line item descriptions.