CVE-2020-35677

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-35677

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35677.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-35677

Published

2020-12-24T04:15:12.547Z

Modified

2026-03-13T00:41:00.773899Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection.

References

https://labs.ingredous.com/2020/07/13/ois-groupedit-xss/

Affected packages

Git / github.com/bigprof-software/online-invoicing-system

Affected ranges

Type

GIT

Repo

https://github.com/bigprof-software/online-invoicing-system

Events

Introduced

Fixed

18522835aa2b23c5376bc1c68ef727f41f334f79

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0"
        }
    ]
}

Affected versions

2.*

2.3

2.4

2.5

2.6

2.7

2.9

3.*

3.0

3.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35677.json"