CVE-2020-6583

BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijacking. An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account via the Name field in an Add New Client action.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
bigprofonline_invoicing_system
𝑥
≤ 2.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sevenlayers.com/index.php/282-online-invoicing-system-2-6-xss-session-hijack
https://www.sevenlayers.com/index.php/282-online-invoicing-system-2-6-xss-session-hijack