CVE-2019-16330

MEDIUM

NCH Express Accounts Accounting v7.02 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16330. PoCs published by Debashis Pal.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Express Accounts Accounting 7.02. The PoC shows how an attacker can inject malicious JavaScript into various input fields, which executes when other users access the affected sections.

Description

In NCH Express Accounts Accounting v7.02, persistent cross site scripting (XSS) exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC
by Debashis Pal · textwebappsphp
https://www.exploit-db.com/exploits/47505

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Express Accounts Accounting 7.02. The PoC shows how an attacker can inject malicious JavaScript into various input fields, which executes when other users access the affected sections.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Express Accounts Accounting v7.02
Auth required
Prerequisites: Authenticated access to the Express Accounts web interface
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/47505

Scores

CVSS v3 5.4
EPSS 0.0058
EPSS Percentile 43.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
nchsoftware/express_accounts_accounting 7.02
Published Oct 17, 2019
Tracked Since Feb 18, 2026