Cross-site Scripting vulnerability in BigProf products
Description
A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in BigProf Online Invoicing System 2.6 via the FirstRecord parameter in invoices_view.php allows stored JavaScript payloads.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in BigProf Online Invoicing System version 2.6. The application fails to sufficiently encode user-controlled input in the FirstRecord parameter of /invoicing/app/invoices_view.php. This allows an attacker to inject malicious JavaScript payloads that are stored on the server and executed when the page is loaded. [1]
Exploitation
An attacker with network access to the application can craft a malicious request to the vulnerable parameter without requiring authentication (CVSS: PR:N). The attacker submits a payload in the FirstRecord parameter, which is stored and later triggered when any user visits the invoices_view.php page. [1]
Impact
Successful exploitation results in persistent XSS, enabling the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to information disclosure, session hijacking, or other malicious actions. The CVSS v3.1 base score is 6.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. [1]
Mitigation
As of the publication date (2023-11-30), no official patch or solution has been reported by the vendor. Users should monitor for updates and consider implementing input validation or output encoding as a workaround. The product may be end-of-life or unsupported. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not sufficiently encode user-controlled input in the FirstRecord parameter, allowing persistent XSS."
Attack vector
An attacker can send a crafted HTTP request to `/invoicing/app/invoices_view.php` with a malicious JavaScript payload in the `FirstRecord` parameter [ref_id=1]. The application does not sufficiently encode this user-controlled input before storing it, resulting in persistent (stored) XSS [ref_id=1]. When any user loads the affected page, the stored payload executes in their browser. No authentication is required to trigger the vulnerability, but user interaction (loading the page) is needed for the payload to fire.
Affected code
The vulnerability is in `/invoicing/app/invoices_view.php`, specifically in the `FirstRecord` parameter [ref_id=1]. The advisory does not specify the exact line or function within that file.
What the fix does
The advisory states that no solution has been reported at this time [ref_id=1]. No patch is available in the bundle. The recommended remediation would be to properly encode or sanitize the `FirstRecord` parameter before storing or rendering it, preventing the execution of injected JavaScript.
Preconditions
- networkThe attacker must be able to send HTTP requests to the affected /invoicing/app/invoices_view.php endpoint.
- inputA victim user must load the affected page to trigger the stored payload.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.