CVE-2019-16282

CVE-2019-16282 affects NCH Express Invoice v7.12. The vulnerability is a persistent cross-site scripting (XSS) flaw exploitable via the Invoices/Items/Customers/Quotes input fields. An authenticated unprivileged user can modify parameters in these fields to inject arbitrary JavaScript. The issue ...

CVE-2020-13476

The CVE-2020-13476 entry describes a Reflected XSS in the Quotes List module of NCH Express Invoice versions 8.06–8.24. Affected software is the NCH Express Invoice product (Invoice software). According to the NVD entry, the vulnerability is network-accessible with MEDIUM overall risk (CVSS v3.1 ...

CVE-2020-11561

NCH Express Invoice 7.25 is affected by CVE-2020-11561. The vulnerability allows an authenticated, low-privilege user to craft a URL that gains access to higher-privileged functionalities, such as the Add New Item screen. Multiple connected sources (NVD, Red Hat, CNVD, CNVD-derived listings) corr...

CVE-2020-11560

CVE-2020-11560 affects NCH Express Invoice 7.25. Local users can read the application’s configuration file to obtain cleartext passwords, enabling potential account takeover. Root cause: credentials stored in plaintext in the configuration/files under the Express Invoice data path. Exploitation d...