Cross-site Scripting vulnerability in BigProf products

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in BigProf Online Invoicing System version 2.6. The application does not sufficiently encode user-controlled input passed to the FirstRecord parameter in the file /invoicing/app/invoices_view.php. This allows an attacker to inject arbitrary JavaScript code that is stored on the server and executed when the page is loaded. The vulnerability is classified as CWE-79 and has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious payload in the FirstRecord parameter and submitting it to the affected page. No authentication is required, but user interaction (e.g., clicking a link or submitting a form) is needed to trigger the storage of the payload. Once stored, the payload executes automatically when any user visits /invoicing/app/invoices_view.php, including administrators [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement of the application interface, theft of sensitive data, or further attacks against other users. The impact is limited to low confidentiality, integrity, and availability compromise as per the CVSS score [1].

Mitigation

As of the publication date (2023-11-30), no official fix or patch has been released by BigProf for this vulnerability. Users are advised to monitor the vendor's website for updates and consider applying input validation and output encoding as a temporary workaround. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].