CVE-2023-6435 Vulnerability Details

  /     /     /  

CVE-2023-6435 Metadata Quick Info

CVE Published: 30/11/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: INCIBE | Vendor: BigProf | Product: Online Inventory Manager
Status : PUBLISHED

---

CVE-2023-6435 Description

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads.

Metrics

CVSS Version: 3.1 | Base Score: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: CWE-79 Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )
Source: BigProf

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).