Express Invoice
Monthly
NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.