CVE-2021-21260 HIGH

CVE-2021-21260: XSS in description field

Vendor Bigprof-Software
Product online-invoicing-system
Weakness CWE-79 · XSS
Published January 22, 2021
Last update August 3, 2024

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

Key dates

02Disclosure timeline

January 22, 2021 CVE published
August 3, 2024 Record updated