Cross-site Scripting vulnerability in BigProf products

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in BigProf Online Invoicing System version 2.6. The application fails to sufficiently encode user-controlled input in the FirstRecord parameter of the /invoicing/app/clients_view.php page. This allows an attacker to inject arbitrary JavaScript code that will be stored and executed when the page is loaded by other users. The vulnerability is classified as CWE-79 and has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) [1].

Exploitation

An attacker does not require authentication (PR:N) but relies on user interaction (UI:R) to trigger the payload. The attacker can inject a malicious script into the FirstRecord parameter via a crafted request to /invoicing/app/clients_view.php. When an administrator or other user visits the affected page, the stored script executes in their browser. The attack vector is network-based (AV:N) with low complexity (AC:L) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, redirection to malicious sites, or other actions that mimic the victim's privileges within the application. The scope is unchanged, but the impact on confidentiality, integrity, and availability is low (C:L/I:L/A:L) [1].

Mitigation

As of the publication date (November 30, 2023), no official fix or patch has been released by the vendor. Users are advised to monitor for updates and consider implementing input validation and output encoding as a workaround. The vulnerability is not currently known to be listed in the CISA KEV catalog [1].