CVE-2020-6583

EUVD-2020-27731
BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijacking. An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account via the Name field in an Add New Client action.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
bigprofonline_invoicing_system
𝑥
≤ 2.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sevenlayers.com/index.php/282-online-invoicing-system-2-6-xss-session-hijack
https://www.sevenlayers.com/index.php/282-online-invoicing-system-2-6-xss-session-hijack