Medium severity6.1NVD Advisory· Published Dec 24, 2020· Updated Jun 17, 2026
CVE-2020-35676
CVE-2020-35676
Description
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- BigProf/Online Invoicing Systemdescription
- Range: <3.1
Patches
Vulnerability mechanics
References
2- labs.ingredous.com/2020/07/13/ois-membershipsignup-xss/nvdExploitThird Party Advisory
- github.com/bigprof-software/online-invoicing-system/releases/tag/3.1nvdThird Party Advisory
News mentions
0No linked articles in our index yet.