Cross-site Scripting vulnerability in BigProf products

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in BigProf Online Invoicing System version 2.6. The application does not sufficiently encode user-controlled input in the FirstRecord parameter of /invoicing/app/items_view.php. This allows an attacker to inject arbitrary JavaScript code that is stored on the server and executed when the page is loaded by any user. The vulnerability is classified as CWE-79 and has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious payload in the FirstRecord parameter, typically via a POST or GET request to the affected endpoint. No authentication is required to trigger the stored payload, but user interaction (e.g., visiting the page) is needed for execution. The injected script is stored in the system and will execute automatically when any user accesses /invoicing/app/items_view.php [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of sensitive data (e.g., session cookies, credentials), defacement of the application, or further attacks such as phishing. The impact is limited to the confidentiality, integrity, and availability of the affected application, with a low severity rating per the CVSS vector [1].

Mitigation

As of the publication date (2023-11-30), no official patch or solution has been released by the vendor. The advisory from INCIBE states "No solution reported at this time" [1]. Users are advised to apply input validation and output encoding on the FirstRecord parameter, or restrict access to the vulnerable page until a fix is available.