CVE-2021-21260

Опубликовано: 22 янв. 2021

Источник: nvd

CVSS3: 7.6

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

Ссылки

https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
Third Party Advisory
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Exploit
Third Party Advisory
https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2
Third Party Advisory
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bigprof:online_invoicing_system:4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 43%

0.00206

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

EPSS

Процентиль: 43%

0.00206

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79