Lucene search

GitHub_MCVELIST:CVE-2021-21260

HistoryJan 22, 2021 - 5:20 p.m.

CVE-2021-21260 XSS in description field

2021-01-2217:20:15

CWE-79

GitHub_M

www.cve.org

cve-2021-21260; xss; ois version 4.0; invoicing system; stored xss; admin account takeover; csrf token; change password; item description; app/items_view.php; sanitization

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

CNA Affected

[
  {
    "product": "online-invoicing-system",
    "vendor": "bigprof-software",
    "versions": [
      {
        "status": "affected",
        "version": "= 4.0"
      }
    ]
  }
]

References

github.com/bigprof-software/online-invoicing-system/releases/tag/4.2

github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4