CVE-2020-35674
Description
BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.
Affected products
2- BigProf/Online Invoicing Systemdescription
- Range: <2.9
Patches
11d715607a52fAdd security policy
1 file changed · +13 −0
SECURITY.md+13 −0 added@@ -0,0 +1,13 @@ +# Security Policy + +## Reporting a Vulnerability + +To report a security vulnerability, please _**don't**_ open a public issue. This is in effect like posting a 0-day, +exposing all app users without warning. Instead, kindly contact me via the email address on our profile page. + +I want to emphasize that we do appreciate responsible vulnerability reports that include details of reproducing the +issue. And we do take security of our apps very seriously. And because of that, we ask you to report issues privately +as described above, and give us a window of 10 days to respond before publicly posting them. + +During that window of 10 days, we'll do our best to fix the issue, post a new release, and of course acknowledge +the reporter's effort. Thanks for being a reponsible ethical hacker :)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- labs.ingredous.com/2020/07/13/ois-sqli/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.