CVE-2020-35677

Name of the Vulnerable Software and Affected Versions BigProf Online Invoicing System versions prior to 4.0

Description The issue arises from inadequate sanitization of fields for HTML characters when an administrator creates a new group using the "admin/pageEditGroup.php" endpoint, resulting in Stored XSS. Although an attacker would need administrative privileges to create the payload, the lack of CSRF protection on the endpoint responsible for creating the group poses a significant risk.

Recommendations For versions prior to 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider implementing CSRF protection on the "admin/pageEditGroup.php" endpoint and ensuring proper sanitization of fields for HTML characters to prevent Stored XSS attacks. Restrict access to the "admin/pageEditGroup.php" endpoint to minimize the risk of exploitation.