33 matches found
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored XSS in adding properties lead by adding owners first name and second name. 🕵️♂️ Proof of Concept Video POC: https://drive.google.com/file/d/1QbdzPJPHmQPsNl-o43a-Slub4Z3hhNh/view?usp=sharing 💥 Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in membership profile. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the State field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in membership profile. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the city field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of Stored xss...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in membership profile. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Address field. 4. Update the profile and You will see an alert. 💥 Impact This vulnerability is capable of stored...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description There is a stored xss in member profile in the full name 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a member account. 2. Login into the member account. 3. Enter the s"' payload in the Full Name field. 4. Update the profile and You will see an alert. 💥 Impact Stored XSS...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in profile state field There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
💥 BUG xss via groupname in item 💥 VERSION TESTED latest version as of 1/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. first goto http://localhost/online-invoice2/app/admin/pageEditGroup.php and add a new group and put bellow xss payload in...
Improper Privilege Management in bigprof-software/online-invoicing-system
💥 BUG privilege escalation bug to add item to a price-history 💥 IMPACT unprivileged user can add item to a price-history 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add new user called user-B .\ Now revoke all acccess from item...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the City field as tested on the latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the City...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
✍️ Description There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Full name field as tested on latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user account. 3. Enter the s"' payload in the Full...
Cross-site Scripting (XSS) - Reflected in bigprof-software/online-invoicing-system
✍️ Description /app/admin/pageTransferOwnership.php with sourceMemberID parameter is vulnerable to Reflected XSS. Line 216 of pageTransferOwnership.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. In this case the data is sent at builtinecho in...
Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting
Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting Date: 2019-11-29 Exploit Author: Cemal Cihad ÇİFTÇİ Vendor Homepage: https://bigprof.com Software Download Link : https://github.com/bigprof-software/online-invoicing-system Software : Online Invoicing Syst...