CVE-2021-21260

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2	Third Party Advisory
https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bigprof:online_invoicing_system:4.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-01-22 18:15

Updated : 2024-02-28 18:08

NVD link : CVE-2021-21260

Mitre link : CVE-2021-21260

CVE.ORG link : CVE-2021-21260

JSON object : View

Products Affected

bigprof

online_invoicing_system

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-21260", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.3}]}, "published": "2021-01-22T18:15:12.610", "references": [{"url": "https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.2", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bigprof-software/online-invoicing-system/security/advisories/GHSA-rm79-5596-r7q4", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario."}, {"lang": "es", "value": "El Sistema de Facturaci\u00f3n en L\u00ednea (OIS) es un software de c\u00f3digo abierto que es un sistema de facturaci\u00f3n ajustado para peque\u00f1as empresas, consultores y aut\u00f3nomos creado con AppGini. En OIS versi\u00f3n 4.0 se presenta una vulnerabilidad de tipo XSS almacenado que puede permitir que un atacante tome el control de la cuenta de administrador por medio de una carga \u00fatil que extrae un token csrf y env\u00eda una petici\u00f3n para cambiar la contrase\u00f1a. Se ha detectado que la descripci\u00f3n del art\u00edculo se refleja sin saneamiento en el archivo app/items_view.php, lo que habilita el escenario malicioso"}], "lastModified": "2021-01-29T14:11:08.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bigprof:online_invoicing_system:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03A30130-6CAE-4330-95EF-8658D93EF4C4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}