Cross-Site Request Forgery (CSRF) in bigprof-software/online-invoicing-system

✍️ Description csrf bug to mass delete client 🕵️‍♂️ Proof of Concept bellow request is vulnerable to csrf attack. here csrf token checking, no refferrer checking . There is nothing to prevent csrf attack . POST /online-invoicing-system/app/clientsview.php HTTP/1.1 Host: localhost User-Agent:...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding client's comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Client. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description I found a stored XSS in your project which is lead by adding unpaid invoice comment. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a unpaid invoice. 2. Enter " in the comments. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Leases starting/ending. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Starting or Ending as both are vulnerable. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Application/Leases notes. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Application/Leases. 2. Enter " in the notes. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding Units description. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Unit. 2. Enter " in the description. 3. Save and you will see XSS. 💥 Impact This vulnerability is capable of stored XSS...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding property name which reflects on summary-reports-application-leases-1.php 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Property. 2. Enter x''' in the comments. 3. Save and visit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding anonymous group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group. 2. Enter group"' in the group name. 3. Save and visit view groups. 4. Click on the Anonymous group you just created. 💥 Impact This...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss 2 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab .\ put bellow xss payload xss2"' in Members custom...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description stored xss via Group name 🕵️‍♂️ Proof of Concept Step To Reproduce: Go to /admin/pageEditGroup.php and creat a group with payload: '/ Now visit user dashboard ie, /membershipprofile.php and see the xss pops up Poc video:...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest release. 🕵️‍♂️ Proof of Concept Step to Reproduce: Go to /itemsview.php and add the payload: ""@x.y as Item Description and add required data and...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored XSS in anonymous user name due to improper sanitization of user input 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to http://192.168.43.130:8081/app//admin/pageSettings.php and click on pre-configured users. 2. Edit anonymous username to xss" 3. Save it and visit...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releaset 🕵️‍♂️ Proof of Concept Step To Reproduce: Visit clientsview.php and click add a new client Add any details add payload: on the Comments...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

✍️ Description here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety. 🕵️‍♂️ Proof of Concept step to reproduce: Go to /admin/pageSettings.php and click Preconfigured users and groups Add payload: " on Name...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG xss via unpaid-invoice-comment 💥 VERSION TESTED latest version as of 3/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-invoice3/app/hooks/calendar-unpaid-invoices.php?date=2021-06-03&view=dayGridMonth and create a...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss via employmentandincomehistoryview 🕵️‍♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1wmBmdvdHTLORNc9det4HYj1Dtfd97Y/view?usp=sharing...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

💥 BUG STORED XSSS 💥 TESTED VERSION latest version as of 3/7/21 💥 STEP TO REPRODUCE plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/16Y2WR7PKj-OpDGGDMAxV60CaiSX2RZXl/view?usp=sharing...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in pageTransferOwnership.php where sourceMemberID parameter leads to xss which gets stored in pageViewRecords.php 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Go to admin account 2. Visit URL /app/admin/pageTransferOwnership.php?sourceGroupID=2&sourceMemberID="alert1 💥...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description Stored xss in adding group name. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a group and enter s"' in group name 2. Save and view it you will see popup 💥 Impact This vulnerability is capable of stored xss...