CVE-2019-16282

MEDIUM

NCH Express Invoice 7.12 - Authenticated Stored Cross-Site Scripting via Invoices/Items/Customers Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16282. PoCs published by Debashis Pal.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Express Invoice v7.12. The PoC shows how an attacker can inject malicious JavaScript into fields like 'Customer', 'Items', 'Customers', and 'Quotes', which executes when other users access these sections.

Description

In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC

by Debashis Pal · textwebappsphp

https://www.exploit-db.com/exploits/47496

View Code ZIP pw:eip

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Express Invoice v7.12. The PoC shows how an attacker can inject malicious JavaScript into fields like 'Customer', 'Items', 'Customers', and 'Quotes', which executes when other users access these sections.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Express Invoice v7.12

Auth required

Prerequisites: Authenticated access to the Express Invoice web interface

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/47496

Scores

CVSS v3 5.4

EPSS 0.0058

EPSS Percentile 43.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

nchsoftware/express_invoice 7.12

Published Oct 14, 2019

Tracked Since Feb 18, 2026