Akaunting 3.1.21 - Authenticated stored XSS in report description rendering

An attacker with permission to create or update reports stores arbitrary HTML/JavaScript in the description field. The stored value is later rendered without output encoding in two contexts: the report edit form (raw inside a `<textarea>`) and the reports index page (raw inside the report card description). A payload such as `</textarea><img src=x onerror=alert(document.domain)>` closes the textarea element and executes JavaScript when another authenticated user opens the affected report edit page. The same stored value is also rendered as raw HTML on the reports index page. [ref_id=1]

The vulnerability resides in the report management workflow of Akaunting 3.1.21. The report input validation (app/Http/Requests/Common/Report.php:16-20) allows arbitrary string content, the create/update jobs persist all request fields directly (app/Jobs/Common/CreateReport.php:15-17, app/Jobs/Common/UpdateReport.php:13-15), and the report model permits mass assignment of description (app/Models/Common/Report.php:21). The shared textarea component prints the persisted value as raw Blade output (resources/views/components/form/input/textarea.blade.php:10-26) and the reports index also renders report descriptions as raw HTML (resources/views/common/reports/index.blade.php:50-52).

The advisory states that there is currently no patch available for this vulnerability. [ref_id=1] The remediation would require output encoding the description value before rendering it in the textarea component and the reports index page, preventing attacker-controlled HTML from being parsed by the browser.

Step 1 - Create a report with a malicious description 1. Log in to Akaunting as a user allowed to create reports, for example [email protected]. 2. Open: /1/common/reports. 3. Click New Report. 4. Fill the form with a valid name, for example: Report XSS Evidence. 5. Select any available report type, for example: Income Summary. 6. Set the report description to: CVE-REPORT-DESC-</textarea><img src=x onerror=alert(document.domain)>. 7. Save the report.

Step 2 - Trigger the payload from the report edit page 1. Return to the reports list. 2. Open the created report in edit mode. 3. The stored description value is loaded into the shared textarea component. 4. The browser parses the injected </textarea> as the end of the element, creates the injected <img>, and executes the onerror handler.

Step 3 - Trigger the payload from the reports index 1. Store a report description containing executable HTML, for example: <img src=x onerror=alert(document.domain)>. 2. Open: /1/common/reports.