Unrated severityNVD Advisory· Published Nov 30, 2023· Updated May 22, 2025

Cross-site Scripting vulnerability in BigProf products

CVE-2023-6432

Description

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Persistent XSS in BigProf Online Invoicing System 2.6 via the FirstRecord parameter in /inventory/items_view.php allows stored JavaScript payloads.

Vulnerability

BigProf Online Invoicing System version 2.6 does not sufficiently encode user-controlled input, leading to persistent cross-site scripting (XSS) in the /inventory/items_view.php page via the FirstRecord parameter [1]. This vulnerability is part of a set of 14 XSS issues discovered by Rafael Pedrero across multiple BigProf products [1].

Exploitation

An attacker with network access can inject a malicious JavaScript payload into the FirstRecord parameter. The payload is stored on the system and executed when any user loads the affected page. No authentication is required to trigger the stored XSS, but user interaction (viewing the page) is necessary for execution [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. The CVSS v3.1 base score is 6.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L [1].

Mitigation

As of the publication date (2023-11-30), no official fix or patch has been released by BigProf [1]. Users should monitor for updates and consider applying input validation or output encoding as a workaround. The product is open source, so custom patches may be possible.

References

Multiple XSS vulnerabilities in BigProf products

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

bigprof/Online Invoicing Systemllm-fuzzy
Range: =2.6
bigprof/Online Inventory Managercpe-rescue
Range: 3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-bigprof-productsmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000