Vulnerability Description
Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bigprof | Online Invoicing System | 4.0 |
Related Weaknesses (CWE)
References
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2Third Party Advisory
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/ExploitThird Party Advisory
- https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2Third Party Advisory
- https://github.com/bigprof-software/online-invoicing-system/security/advisories/ExploitThird Party Advisory
FAQ
What is CVE-2021-21260?
CVE-2021-21260 is a vulnerability with a CVSS score of 7.6 (HIGH). Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS...
How severe is CVE-2021-21260?
CVE-2021-21260 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21260?
Check the references section above for vendor advisories and patch information. Affected products include: Bigprof Online Invoicing System.