138 matches found
CVE-2021-27839
A CSV injection vulnerability found in Online Invoicing System OIS 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to...
EUVD-2020-23337
Malware in sbrugna...
EUVD-2021-14578
Malware in sbrugna...
EUVD-2023-58665
Malicious code in bioql PyPI...
EUVD-2023-58664
Malicious code in bioql PyPI...
EUVD-2023-58670
Malicious code in bioql PyPI...
EUVD-2023-58669
Malicious code in bioql PyPI...
EUVD-2023-58668
Malicious code in bioql PyPI...
EUVD-2023-58667
Malicious code in bioql PyPI...
EUVD-2023-58666
Malicious code in bioql PyPI...
EUVD-2023-58663
Malicious code in bioql PyPI...
EUVD-2023-58672
Malicious code in bioql PyPI...
EUVD-2023-58671
Malicious code in bioql PyPI...
CVE-2021-21260
Online Invoicing System OIS is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf...
CVE-2020-35675
BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint admin/pageTransferOwnership.php lacks CSRF protection, resulting in an attacker being able to escalate their privileges to...
CVE-2020-6583
BigProf Online Invoicing System OIS through 2.6 has XSS that can be leveraged for session hijacking. An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account via the Name field in an Add New Client action...
CVE-2020-35677
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the...
CVE-2020-35676
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once...
CVE-2020-35674
BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membershippasswordReset.php the endpoint that is responsible for issuing self-service password resets. An unauthenticated attacker is able to send a request containing a crafted payload that can...
CVE-2023-6435
A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batchesview.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to...