Executive Summary

This vulnerability is an authenticated stored Cross-Site Scripting (XSS) flaw found in Akaunting version 3.1.21 within the report management workflow.

A user who has permission to create or update reports can inject arbitrary HTML or JavaScript code into the description field of a report.

The malicious code is stored and later rendered unsafely in two administrative interfaces: the report edit form and the reports index page.

This happens because of insufficient input validation, direct persistence of user-supplied data, and raw output rendering without encoding.

An example payload could be something like </textarea><img src=x onerror=alert(document.domain)>, which executes when another user views the affected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with report creation or update permissions to execute malicious scripts in the context of other users who view the affected reports.

Such script execution can lead to unauthorized actions, data theft, session hijacking, or other malicious activities within the administrative interfaces.

Because the vulnerability requires authenticated access with specific permissions, the risk is limited to users who have those privileges.

However, if exploited, it can compromise the integrity and security of the application and its users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript payloads in the description field of reports within Akaunting version 3.1.21. Since the vulnerability involves stored Cross-Site Scripting (XSS), detection involves inspecting report descriptions for suspicious script tags or event handlers.

One approach is to query the database or use application interfaces to search for typical XSS payload patterns such as <img src=x onerror=alert(document.domain)> or similar script injections in the report descriptions.

Specific commands depend on your environment, but for example, if you have direct database access, you could run a SQL query like:

• SELECT id, description FROM reports WHERE description LIKE '%<script%' OR description LIKE '%onerror=%' OR description LIKE '%<img%';

Additionally, monitoring HTTP traffic for suspicious payloads or using web application security scanners that detect stored XSS vulnerabilities in the report management workflow can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting report creation and update permissions to only trusted users, as the vulnerability requires authenticated users with such permissions.

Since no patch is currently available, it is critical to implement input validation and output encoding manually if possible, to prevent malicious HTML/JavaScript from being stored or rendered.

As a temporary workaround, you can audit and sanitize existing report descriptions to remove any malicious scripts.

Also, educate users and administrators about the risk and monitor the application for suspicious activity related to report creation or updates.

Useful 0 Not Useful 0