CVE-2020-35676

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-35676

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35676.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-35676

Published

2020-12-24T04:15:12.500Z

Modified

2025-11-14T11:04:06.371229Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php.

References

Affected packages

Git / github.com/bigprof-software/online-invoicing-system

Affected ranges

Type: GIT
Repo: https://github.com/bigprof-software/online-invoicing-system
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

77c21c7c825cc7c5a711092a231d0856d98b1ab6

Affected versions

2.*

2.3

2.4

2.5

2.6

2.7

2.9

3.*

3.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35676.json"