CVE-2021-21260

Name of the Vulnerable Software and Affected Versions: Online Invoicing System (OIS) version 4.0

Description: The issue is related to a stored XSS in the Online Invoicing System, which can allow an attacker to take over the admin account. This is achieved through a payload that extracts a csrf token and sends a request to change the password. The Item description in app/items view.php is reflected without sanitization, enabling this malicious scenario.

Recommendations: For version 4.0, consider disabling the app/items view.php functionality until a patch is available to prevent the exploitation of the stored XSS vulnerability. Restrict access to the admin account and monitor for any suspicious activity related to password changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.