Lucene search

K
BigprofOnline Invoicing System*

4 matches found

CVE
CVE
added 2020/12/24 4:15 a.m.70 views

CVE-2020-35677

BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payl...

4.8CVSS5AI score0.0011EPSS
Web
CVE
CVE
added 2020/12/24 4:15 a.m.59 views

CVE-2020-35676

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once th...

6.1CVSS6.1AI score0.0024EPSS
CVE
CVE
added 2022/09/29 3:15 a.m.34 views

CVE-2020-35674

BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can re...

9.8CVSS9.6AI score0.00487EPSS
CVE
CVE
added 2022/09/29 3:15 a.m.31 views

CVE-2020-35675

BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administr...

8.8CVSS8.7AI score0.00338EPSS