Improper Privilege Management in bigprof-software/online-invoicing-system


Reported on

Aug 4th 2021


CSRF bug to approve member


csrf bug allow to approov any user


1. Lets assume signup allowed in settings page and member need to approoved .
Now From external user goto http://localhost/online-invoice/app/membership_signup.php and signup for new member with username user1.
Now admin need to approv this new user .
2. Finally new user sent http://localhost/online-invoice/app/admin/pageChangeMemberStatus.php?memberID=user1&approve=1 to admin and when admin open this url then newly created user will be aproved.
Here no csrf token is checking .

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 2 years ago
BigProf Software validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software marked this as fixed with commit 700f4a 2 years ago
BigProf Software has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation