Headline
CVE-2023-6435: Multiple XSS vulnerabilities in BigProf products
A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
Affected Resources
- Online Clinic Management System, version 2.2.
- Online Invoicing System, version 2.6.
- Online Inventory Manager, version 3.2.
Description
INCIBE has coordinated the publication of 14 vulnerabilities affecting several products of BigProf, an open source web content management system, which have been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following base score CVSS v3.1, CVSS vector and vulnerability type CWE, common to all of them:
- CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-79
CVE identifiers from CVE-2023-6422 to CVE-2023-6432, both included, have been reserved.
Solution
No solution reported at this time.
Detail
A vulnerability has been discovered in several BigProf products, which does not sufficiently encode user-controlled input, resulting in persistent XSS, across multiple files and parameters. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
The list of products, files and parameters affected by these XSS vulnerabilities is as follows:
- Online Clinic Management System 2.2:
- CVE-2023-6422: through /clinic/patients_view.php, in the parameter FirstRecord.
- CVE-2023-6423: through /clinic/events_view.php, in the parameter FirstRecord.
- CVE-2023-6424: through /clinic/disease_symptoms_view.php, in the parameter FirstRecord.
- CVE-2023-6425: through /clinic/medical_records_view.php, in the parameter FirstRecord.
- Online Invoicing System 2.6:
- CVE-2023-6426: through /invoicing/app/invoices_view.php, in the parameter FirstRecord.
- CVE-2023-6427: through /invoicing/app/invoices_view.php, in the parameter FirstRecord.
- CVE-2023-6428: through /invoicing/app/items_view.php, in the parameter FirstRecord.
- CVE-2023-6429: through /invoicing/app/clients_view.php, in the parameter FirstRecord.
- Online Inventory Manager 3.2:
- CVE-2023-6430: through /inventory/transactions_view.php, in the parameter FirstRecord.
- CVE-2023-6431: through /inventory/categories_view.php, in the parameter FirstRecord.
- CVE-2023-6432: through /inventory/items_view.php, in the parameter FirstRecord.
- CVE-2023-6433: through /inventory/suppliers_view.php, in the parameter FirstRecord.
- CVE-2023-6434: through /inventory/sections_view.php, in the parameter FirstRecord.
- CVE-2023-6435: through /inventory/batches_view.php, in the parameter FirstRecord.