BigProf Online Inventory Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in BigProf Online Inventory Manager version 3.2. The issue resides in the group description field within the admin edit groups section. This vulnerability allows attackers to inject malicious JavaScript that executes when the groups page is viewed, potentially leading to cookie theft and unauthorized execution of client-side scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the groups page.

Reproduction

To reproduce this vulnerability, navigate to the admin edit groups section and select a group to edit. Inject a script payload into the description field. After saving the changes, return to the groups page where the injected script will execute.