Express Invoice
by NCH Software
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11561 | Hig | 0.57 | 8.8 | 0.02 | Apr 7, 2020 | In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen. | ||
| CVE-2020-11560 | Hig | 0.54 | 7.8 | 0.01 | Apr 7, 2020 | NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. | ||
| CVE-2019-16282 | Med | 0.35 | 5.4 | 0.01 | Oct 14, 2019 | In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript. | ||
| CVE-2020-13476 | Med | 0.31 | 4.8 | 0.01 | Dec 28, 2020 | NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module. |
- risk 0.57cvss 8.8epss 0.02
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen.
- risk 0.54cvss 7.8epss 0.01
NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file.
- risk 0.35cvss 5.4epss 0.01
In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript.
- risk 0.31cvss 4.8epss 0.01
NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.