Unrated severityNVD Advisory· Published Nov 30, 2023· Updated Oct 1, 2024

Cross-site Scripting vulnerability in BigProf products

CVE-2023-6431

Description

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Persistent XSS in BigProf Online Invoicing System 2.6 via FirstRecord parameter in /inventory/categories_view.php allows stored JavaScript execution.

Vulnerability

The vulnerability is a persistent cross-site scripting (XSS) in BigProf Online Invoicing System version 2.6. It arises because the application does not properly sanitize user-controlled input in the FirstRecord parameter of /inventory/categories_view.php. An attacker can inject malicious JavaScript that is stored and executed when the page is loaded.

Exploitation

An attacker needs to have user-level access to the system to inject the payload via the FirstRecord parameter. No special network position is required as the application is typically web-facing. The attacker submits a crafted request with the payload, which gets stored and later triggered when an administrator or other user visits the affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other client-side attacks. The CVSS score is 6.3 (Medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L.

Mitigation

As of the publication date (2023-11-30), no fix or patch has been released by BigProf. Users are advised to implement input validation and output encoding as a workaround. No workaround details are provided in the reference [1].

References

Multiple XSS vulnerabilities in BigProf products

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

bigprof/Online Invoicing Systemllm-fuzzy
Range: =2.6
bigprof/Online Inventory Managercpe-rescue
Range: 3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-productsmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000