Cross-site Scripting vulnerability in BigProf products

Vulnerability

BigProf Online Invoicing System version 2.6 does not sufficiently encode user-controlled input, leading to a persistent cross-site scripting (XSS) vulnerability in the file /inventory/suppliers_view.php via the FirstRecord parameter [1]. An attacker can inject arbitrary JavaScript that is stored and executed when the page loads.

Exploitation

An attacker needs to have a role that allows modifying the FirstRecord parameter, likely through submitting a form or URL parameter. The attack requires no authentication from the victim aside from page access, but the attacker must have the ability to send the malicious payload to the server [1]. The stored script triggers when any user visits the affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement. The CVSS v3.1 score is 6.3 (medium), with impacts on confidentiality, integrity, and availability all rated low [1].

Mitigation

As of the advisory publication (November 2023), no official patch or solution has been reported [1]. Users should monitor for updates from BigProf and consider input sanitization or Web Application Firewall rules as temporary mitigations.