CVE-2012-4932

Name of the Vulnerable Software and Affected Versions SimpleInvoices versions prior to stable-2012-1-CIS3000

Description The issue allows remote attackers to inject arbitrary web script or HTML via various fields and parameters, including the having parameter in a manage action to "index.php", the Email field in an Add User action, and multiple fields in Add Customer, Add Biller, Add Invoice, Process Payment, Payment Types, Invoice Preferences, Manage Products, and Tax Rates actions.

Recommendations For SimpleInvoices versions prior to stable-2012-1-CIS3000, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the affected fields and parameters, such as the having parameter, Email field, Customer Name field, and others, until a patch is available. Avoid using these fields in the affected API endpoints until the issue is resolved.