180 matches found
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description Stored xss in membership profile. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the city field. 4. Update the profile and You will see an alert. π₯ Impact This vulnerability is capable of Stored xss...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description Stored xss in membership profile. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Address field. 4. Update the profile and You will see an alert. π₯ Impact This vulnerability is capable of stored...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description There is a stored xss in member profile in the full name π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. π₯ Impact Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
βοΈ Description Stored xss in profile state field There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
π₯ BUG xss via groupname in item π₯ VERSION TESTED latest version as of 1/7/21 π₯ IMPACT xss allow to execute arbitary javascript in vicitm account π₯ STEP TO REPRODUCE 1. first goto http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in...
Improper Privilege Management in bigprof-software/online-invoicing-system
π₯ BUG privilege escalation bug to add item to a price-history π₯ IMPACT unprivileged user can add item to a price-history π₯ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from item...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
βοΈ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
βοΈ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the City field as tested on the latest release. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the City...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
βοΈ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. π΅οΈββοΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...
Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system
βοΈ Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...
BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-08151)
BigProf Online Invoicing System OIS is an online invoicing system. A cross-site scripting vulnerability exists in Online Invoicing System OIS version 4.0, which can be exploited by an attacker to take over an administrative account by extracting a csrf token and sending a password change request,...
BigProf Online Invoicing System θ·¨η«θζ¬ζΌζ΄
BigProf Online Invoicing System OIS is an online invoicing system. A cross-site scripting vulnerability exists in Online Invoicing System OIS version 4.0, which can be exploited by an attacker to take over an administrative account by extracting a csrf token and sending a password change request,...
BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-06952)
BigProf Online Invoicing System OIS is an easy invoicing tool for small businesses, consultants and freelancers created using AppGini. A stored cross-site scripting vulnerability exists in BigProf Online Invoicing System versions prior to 4.0. The vulnerability stems from the product failing to...
BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-06953)
BigProf Online Invoicing System OIS is an easy invoicing tool for small businesses, consultants and freelancers created using AppGini. A cross-site scripting vulnerability exists in app/membershipsignup.php and app/admin/pageViewMembers.php in BigProf Online Invoicing System versions prior to 3.1...
CVE-2020-35676
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...
CVE-2020-35677
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the...
CVE-2020-35675
CVE-2020-35675 affects BigProf Online Invoicing System prior to 3.0. The admin/pageTransferOwnership.php endpoint lacks CSRF protection, allowing an attacker to escalate privileges to Administrator and potentially take over the application. Affected component: the transfer ownership function with...
CVE-2020-35676
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...
CVE-2020-35677
CVE-2020-35677 affects the BigProf Online Invoicing System (pre-4.0). The vulnerability is a Stored XSS in the group-creation flow via the admin/pageEditGroup.php endpoint, caused by inadequate sanitization of HTML characters. Exploitation requires administrative privileges to create the payload,...
PT-2020-17384 Β· Bigprof Β· Bigprof Online Invoicing System
Name of the Vulnerable Software and Affected Versions: BigProf Online Invoicing System versions prior to 2.9 Description: The issue is related to an unauthenticated SQL Injection in the /membership passwordReset.php endpoint, which is used for self-service password resets. An attacker can send a...