Vulnerabilities > CVE-2021-21260 - Unspecified vulnerability in Bigprof Online Invoicing System 4.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
References
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4