Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-systemValid
here is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the Address field as tested on the latest releasety.
🕵️♂️ Proof of Concept
step to reproduce:
Go to /admin/pageSettings.php and click Preconfigured users and groups
Add payload: "><img src=x onerror=alert(document.domain)> on Name of the anonymous user and save and exit
Visit admin/pageViewMembers.php and see the stored xss fires