← Back to CVE List

CVE-2020-35674

Published: 2022-09-29T03:15Z
Last Modified: 2024-11-21T05:27Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt