{"id":"CVE-2020-35674","details":"BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.","modified":"2026-04-10T04:26:25.185627Z","published":"2022-09-29T03:15:14.130Z","references":[{"type":"WEB","url":"https://labs.ingredous.com/2020/07/13/ois-sqli/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bigprof-software/online-invoicing-system","events":[{"introduced":"0"},{"fixed":"1d715607a52fa77ba62e18fae071538f61f62c75"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.9"}]}}],"versions":["2.3","2.4","2.5","2.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35674.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}