Vulnerability Details CVE-2021-21260
Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 43.1%
CVSS Severity
CVSS v3 Score 7.6
CVSS v2 Score 3.5
References
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Products affected by CVE-2021-21260
-
cpe:2.3:a:bigprof:online_invoicing_system:4.0