CVE-2023-6428: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in BigProf Online Invoicing System
A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
AI Analysis
Technical Summary
CVE-2023-6428 is a medium-severity vulnerability identified in BigProf Online Invoicing System version 2.6. The flaw is a persistent Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, caused by improper neutralization of user input during web page generation. Specifically, the vulnerability exists in the /invoicing/app/items_view.php endpoint, where the 'FirstRecord' parameter fails to sufficiently encode user-supplied input. This allows an attacker to inject malicious JavaScript payloads that are stored persistently on the server and executed whenever the affected page is loaded by any user. The vulnerability requires no authentication (PR:N) but does require user interaction (UI:R) to trigger the malicious script execution. The CVSS 3.1 base score is 6.3, reflecting a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), and impacts on confidentiality, integrity, and availability, albeit limited (C:L/I:L/A:L). Persistent XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. Since the vulnerability is in an invoicing system, exploitation could compromise sensitive financial data and disrupt business operations. No known public exploits or patches are currently available, increasing the urgency for organizations using this software to implement mitigations proactively.
Potential Impact
For European organizations using BigProf Online Invoicing System 2.6, this vulnerability poses a significant risk to the confidentiality and integrity of financial data and user sessions. Persistent XSS can enable attackers to steal session cookies, impersonate legitimate users, or perform unauthorized transactions, potentially leading to financial fraud or data breaches. The availability impact, while rated low, could manifest as denial of service if malicious scripts disrupt normal application functionality. Given the invoicing system's role in managing sensitive billing and payment information, exploitation could also damage organizational reputation and violate data protection regulations such as GDPR. The requirement for user interaction means phishing or social engineering could be used to lure users into triggering the payload. The lack of authentication requirement for exploitation increases the attack surface, allowing external attackers to target exposed systems directly. European companies in finance, retail, and SMEs relying on this software are particularly vulnerable to operational disruption and compliance risks.
Mitigation Recommendations
Since no official patch is currently available, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'FirstRecord' parameter at the web application firewall (WAF) or reverse proxy level to block or sanitize malicious payloads. 2) Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3) Conducting user awareness training to reduce the risk of social engineering attacks that trigger the XSS payload. 4) Monitoring web server logs and application behavior for unusual or suspicious requests targeting the vulnerable endpoint. 5) Isolating or restricting access to the invoicing system to trusted internal networks or VPNs to reduce exposure. 6) Planning for an urgent update or patch deployment once BigProf releases a fix. 7) Reviewing and hardening session management controls to mitigate session hijacking risks. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and attack vector.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
CVE-2023-6428: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in BigProf Online Invoicing System
Description
A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.
AI-Powered Analysis
Technical Analysis
CVE-2023-6428 is a medium-severity vulnerability identified in BigProf Online Invoicing System version 2.6. The flaw is a persistent Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, caused by improper neutralization of user input during web page generation. Specifically, the vulnerability exists in the /invoicing/app/items_view.php endpoint, where the 'FirstRecord' parameter fails to sufficiently encode user-supplied input. This allows an attacker to inject malicious JavaScript payloads that are stored persistently on the server and executed whenever the affected page is loaded by any user. The vulnerability requires no authentication (PR:N) but does require user interaction (UI:R) to trigger the malicious script execution. The CVSS 3.1 base score is 6.3, reflecting a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), and impacts on confidentiality, integrity, and availability, albeit limited (C:L/I:L/A:L). Persistent XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. Since the vulnerability is in an invoicing system, exploitation could compromise sensitive financial data and disrupt business operations. No known public exploits or patches are currently available, increasing the urgency for organizations using this software to implement mitigations proactively.
Potential Impact
For European organizations using BigProf Online Invoicing System 2.6, this vulnerability poses a significant risk to the confidentiality and integrity of financial data and user sessions. Persistent XSS can enable attackers to steal session cookies, impersonate legitimate users, or perform unauthorized transactions, potentially leading to financial fraud or data breaches. The availability impact, while rated low, could manifest as denial of service if malicious scripts disrupt normal application functionality. Given the invoicing system's role in managing sensitive billing and payment information, exploitation could also damage organizational reputation and violate data protection regulations such as GDPR. The requirement for user interaction means phishing or social engineering could be used to lure users into triggering the payload. The lack of authentication requirement for exploitation increases the attack surface, allowing external attackers to target exposed systems directly. European companies in finance, retail, and SMEs relying on this software are particularly vulnerable to operational disruption and compliance risks.
Mitigation Recommendations
Since no official patch is currently available, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'FirstRecord' parameter at the web application firewall (WAF) or reverse proxy level to block or sanitize malicious payloads. 2) Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3) Conducting user awareness training to reduce the risk of social engineering attacks that trigger the XSS payload. 4) Monitoring web server logs and application behavior for unusual or suspicious requests targeting the vulnerable endpoint. 5) Isolating or restricting access to the invoicing system to trusted internal networks or VPNs to reduce exposure. 6) Planning for an urgent update or patch deployment once BigProf releases a fix. 7) Reviewing and hardening session management controls to mitigate session hijacking risks. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and attack vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- INCIBE
- Date Reserved
- 2023-11-30T10:45:59.186Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683ffd67182aa0cae2a3884a
Added to database: 6/4/2025, 8:01:43 AM
Last enriched: 7/5/2025, 11:26:49 PM
Last updated: 8/15/2025, 12:13:21 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.