GHSA-4v7v-7v7r-3r5h

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

Details

When an administrator views the History tab of that specific note, the script executes in their browser session.

PoC

1. Log in as a regular user.

2. Open "Sales"=>"Customers"=> "Delivery Notes"

   <img width="818" height="223" alt="image" src="https://github.com/user-attachments/assets/82518644-2676-42db-93b1-86133986276c" />

3. Chose one of the customer or create the new one.

4. Open "Delivery notes"

   <img width="2078" height="713" alt="image" src="https://github.com/user-attachments/assets/f7e5027f-e574-4807-9e9c-bf8a51bc1fff" />

5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with any value and save.

   <img width="2097" height="739" alt="image" src="https://github.com/user-attachments/assets/a3ca5ccb-3d9a-4cfc-a991-16206a1a862b" />

<img width="2097" height="858" alt="image" src="https://github.com/user-attachments/assets/9ca39755-4be6-4303-ab3c-b589cd222daf" /> 6. In the Observations field, enter the malicious JavaScript and save it again. <img width="2097" height="870" alt="image" src="https://github.com/user-attachments/assets/f189c53b-8b73-44e8-bb18-bd46f37cef4f" /> <img width="1539" height="885" alt="image" src="https://github.com/user-attachments/assets/b2d20eb1-246e-4acc-b904-77bc85373873" /> 7. Now we have record in "History" tab. <img width="2096" height="768" alt="image" src="https://github.com/user-attachments/assets/6b76d7d4-fc2c-4eb1-9137-4e4ba7287b9b" /> 8. Logout and login as admin. Next go to the "History" tab with malicious code: <img width="1730" height="702" alt="image" src="https://github.com/user-attachments/assets/54f4af37-72f3-47a0-9669-2b1f6293f2b4" /> <img width="1749"...