Mqt

**Name of the Vulnerable Software and Affected Versions** BigProf Online Invoicing System versions prior to 4.0 **Description** The issue arises from inadequate sanitization of fields for HTML characters when an administrator creates a new group using the "admin/pageEditGroup.php" endpoint, resulting in Stored XSS. Although an attacker would need administrative privileges to create the payload, the lack of CSRF protection on the endpoint responsible for creating the group poses a significant risk. **Recommendations** For versions prior to 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider implementing CSRF protection on the "admin/pageEditGroup.php" endpoint and ensuring proper sanitization of fields for HTML characters to prevent Stored XSS attacks. Restrict access to the "admin/pageEditGroup.php" endpoint to minimize the risk of exploitation.