BigProf Online Invoicing System prior to 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
bigprof online invoicing system |