Indian Invoicing System
Monthly
Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `customer_name` parameter in `/Invoicing/add_order.php`, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Impact is limited to partial integrity on the vulnerable system with no confidentiality or availability consequences, consistent with the CVSS 4.0 score of 2.0.
Reflected cross-site scripting (XSS) in SourceCodester Indian Invoicing System 1.0 allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by manipulating the `msg` parameter in `/Invoicing/category.php`. A proof-of-concept exploit is publicly available on GitHub. Despite the public POC, EPSS stands at just 0.03% (10th percentile) and the vulnerability is absent from CISA KEV, reflecting the narrow deployment footprint of this niche PHP invoicing application and the user-interaction requirement that limits automated exploitation.
Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. A publicly available proof-of-concept exploit exists (hosted on GitHub), though EPSS remains at 0.04% (11th percentile) and the vulnerability is not in the CISA KEV catalog, indicating no confirmed widespread exploitation at time of analysis.
SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.
Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `customer_name` parameter in `/Invoicing/add_order.php`, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Impact is limited to partial integrity on the vulnerable system with no confidentiality or availability consequences, consistent with the CVSS 4.0 score of 2.0.
Reflected cross-site scripting (XSS) in SourceCodester Indian Invoicing System 1.0 allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by manipulating the `msg` parameter in `/Invoicing/category.php`. A proof-of-concept exploit is publicly available on GitHub. Despite the public POC, EPSS stands at just 0.03% (10th percentile) and the vulnerability is absent from CISA KEV, reflecting the narrow deployment footprint of this niche PHP invoicing application and the user-interaction requirement that limits automated exploitation.
Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. A publicly available proof-of-concept exploit exists (hosted on GitHub), though EPSS remains at 0.04% (11th percentile) and the vulnerability is not in the CISA KEV catalog, indicating no confirmed widespread exploitation at time of analysis.
SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.