Vulnerability Details CVE-2020-35674
BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.5%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2020-35674
-
cpe:2.3:a:bigprof:online_invoicing_system:2.3
-
cpe:2.3:a:bigprof:online_invoicing_system:2.4
-
cpe:2.3:a:bigprof:online_invoicing_system:2.5
-
cpe:2.3:a:bigprof:online_invoicing_system:2.6
-
cpe:2.3:a:bigprof:online_invoicing_system:2.7