Filtered by vendor Bigprof
                        
                        Subscribe
                        
                        
                    
                    
                
                    Total
                    22 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 | 
|---|---|---|---|---|---|
| CVE-2023-6435 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6434 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/sections_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6433 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/suppliers_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6432 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6431 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6430 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/transactions_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6429 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/clients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6428 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6427 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6426 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6425 | 1 Bigprof | 1 Online Clinic Management System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6424 | 1 Bigprof | 1 Online Clinic Management System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/disease_symptoms_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6423 | 1 Bigprof | 1 Online Clinic Management System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/events_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6422 | 1 Bigprof | 1 Online Clinic Management System | 2024-11-21 | N/A | 6.3 MEDIUM | 
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2021-27839 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 5.8 MEDIUM | 4.4 MEDIUM | 
| A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to. | |||||
| CVE-2021-21260 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 3.5 LOW | 7.6 HIGH | 
| Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario. | |||||
| CVE-2020-6583 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM | 
| BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijacking. An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account via the Name field in an Add New Client action. | |||||
| CVE-2020-35677 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM | 
| BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection. | |||||
| CVE-2020-35676 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM | 
| BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php. | |||||
| CVE-2020-35675 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 8.8 HIGH | 
| BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application. | |||||
