Directory Traversal and Misconfigured Web Server in InvoicePlane by InvoicePlane
CVE-2021-29024

7.5HIGH

Key Information:

Vendor: Invoiceplane
Status: Invoiceplane
Vendor: CVE Published:; 17 May 2021

🔔 Create Invoiceplane Vulnerability Alert

What is CVE-2021-29024?

In InvoicePlane version 1.5.11, a misconfigured web server facilitates unauthenticated access that enables directory listing and file downloads. This vulnerability allows attackers to exploit the server configuration to perform directory traversal attacks, gaining unauthorized access to files that should remain private, thus compromising the integrity and confidentiality of sensitive data.

References

https://notnnor.github.io/research/2021/03/17/files-or-di...

https://github.com/InvoicePlane/InvoicePlane/pull/754

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2021
Vulnerability Reserved
Mar 22, 2021