CVE-2020-35674

Name of the Vulnerable Software and Affected Versions BigProf Online Invoicing System versions prior to 2.9

Description The issue is related to an unauthenticated SQL Injection in the /membership passwordReset.php endpoint, which is used for self-service password resets. An attacker can send a crafted payload to extract sensitive information from the database, potentially leading to an application takeover. This was caused by a custom sanitization implementation intended for use in legacy environments.

Recommendations For versions prior to 2.9, update to version 2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the /membership passwordReset.php endpoint until the update is applied.