Lucene search
K

180 matches found

Huntr
Huntr
β€’added 2021/07/03 2:36 a.m.β€’10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in membership profile. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the city field. 4. Update the profile and You will see an alert. πŸ’₯ Impact This vulnerability is capable of Stored xss...

1.4AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/03 2:35 a.m.β€’11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in membership profile. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Address field. 4. Update the profile and You will see an alert. πŸ’₯ Impact This vulnerability is capable of stored...

1.3AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/03 2:33 a.m.β€’7 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description There is a stored xss in member profile in the full name πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. πŸ’₯ Impact Stored XSS...

0.6AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/03 1:53 a.m.β€’11 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in profile state field There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...

0.2AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/02 7:8 p.m.β€’10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

πŸ’₯ BUG xss via groupname in item πŸ’₯ VERSION TESTED latest version as of 1/7/21 πŸ’₯ IMPACT xss allow to execute arbitary javascript in vicitm account πŸ’₯ STEP TO REPRODUCE 1. first goto http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in...

2AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/02 6:37 p.m.β€’10 views

Improper Privilege Management in bigprof-software/online-invoicing-system

πŸ’₯ BUG privilege escalation bug to add item to a price-history πŸ’₯ IMPACT unprivileged user can add item to a price-history πŸ’₯ STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from item...

0.9AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/02 1:8 a.m.β€’8 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...

0.6AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/02 1:7 a.m.β€’10 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the City field as tested on the latest release. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the City...

1AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/02 1:4 a.m.β€’5 views

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. πŸ•΅οΈβ€β™‚οΈ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...

0.5AI score
Exploits0
Huntr
Huntr
β€’added 2021/07/01 6:57 p.m.β€’5 views

Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system

✍️ Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...

0.5AI score
Exploits0References1
CNVD
CNVD
β€’added 2021/01/28 12:0 a.m.β€’8 views

BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-08151)

BigProf Online Invoicing System OIS is an online invoicing system. A cross-site scripting vulnerability exists in Online Invoicing System OIS version 4.0, which can be exploited by an attacker to take over an administrative account by extracting a csrf token and sending a password change request,...

7.6CVSS6.3AI score0.00596EPSS
Exploits1References1
CNNVD
CNNVD
β€’added 2021/01/22 12:0 a.m.β€’8 views

BigProf Online Invoicing System θ·¨η«™θ„šζœ¬ζΌζ΄ž

BigProf Online Invoicing System OIS is an online invoicing system. A cross-site scripting vulnerability exists in Online Invoicing System OIS version 4.0, which can be exploited by an attacker to take over an administrative account by extracting a csrf token and sending a password change request,...

7.6CVSS5.9AI score0.00596EPSS
Exploits1References3
CNVD
CNVD
β€’added 2020/12/25 12:0 a.m.β€’7 views

BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-06952)

BigProf Online Invoicing System OIS is an easy invoicing tool for small businesses, consultants and freelancers created using AppGini. A stored cross-site scripting vulnerability exists in BigProf Online Invoicing System versions prior to 4.0. The vulnerability stems from the product failing to...

4.8CVSS5.7AI score0.0033EPSS
Exploits0References1
CNVD
CNVD
β€’added 2020/12/25 12:0 a.m.β€’8 views

BigProf Online Invoicing System Cross-Site Scripting Vulnerability (CNVD-2021-06953)

BigProf Online Invoicing System OIS is an easy invoicing tool for small businesses, consultants and freelancers created using AppGini. A cross-site scripting vulnerability exists in app/membershipsignup.php and app/admin/pageViewMembers.php in BigProf Online Invoicing System versions prior to 3.1...

6.1CVSS6.5AI score0.00749EPSS
Exploits1References1
OSV
OSV
β€’added 2020/12/24 4:15 a.m.β€’13 views

CVE-2020-35676

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...

6.1CVSS6.3AI score
Exploits0References2
NVD
NVD
β€’added 2020/12/24 4:15 a.m.β€’16 views

CVE-2020-35677

BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the...

4.8CVSS5.1AI score0.0033EPSS
Exploits0References1
CVE
CVE
β€’added 2020/12/24 3:5 a.m.β€’47 views

CVE-2020-35675

CVE-2020-35675 affects BigProf Online Invoicing System prior to 3.0. The admin/pageTransferOwnership.php endpoint lacks CSRF protection, allowing an attacker to escalate privileges to Administrator and potentially take over the application. Affected component: the transfer ownership function with...

8.8CVSS8.7AI score0.00455EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
β€’added 2020/12/24 3:4 a.m.β€’24 views

CVE-2020-35676

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...

6.2AI score0.00749EPSS
Exploits1References2
CVE
CVE
β€’added 2020/12/24 3:4 a.m.β€’85 views

CVE-2020-35677

CVE-2020-35677 affects the BigProf Online Invoicing System (pre-4.0). The vulnerability is a Stored XSS in the group-creation flow via the admin/pageEditGroup.php endpoint, caused by inadequate sanitization of HTML characters. Exploitation requires administrative privileges to create the payload,...

4.8CVSS5AI score0.0033EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
β€’added 2020/12/24 12:0 a.m.β€’4 views

PT-2020-17384 Β· Bigprof Β· Bigprof Online Invoicing System

Name of the Vulnerable Software and Affected Versions: BigProf Online Invoicing System versions prior to 2.9 Description: The issue is related to an unauthenticated SQL Injection in the /membership passwordReset.php endpoint, which is used for self-service password resets. An attacker can send a...

9.8CVSS9.6AI score0.01113EPSS
Exploits0References3
Rows per page
Query Builder