Path Traversal Vulnerability in InvoicePlane Affects Invoices Functionality
CVE-2024-12362

4.3MEDIUM

Key Information:

Vendor
InvoicePlane
Status
Invoiceplane
Vendor
CVE Published:
16 December 2024

Summary

CVE-2024-12362 reveals a significant path traversal vulnerability in InvoicePlane versions up to 1.6.1, specifically affecting the invoices.php file. This vulnerability allows attackers to manipulate input arguments, potentially leading to unauthorized access to sensitive files on the server. The exploit can be executed remotely, presenting a substantial risk to users who have not upgraded to version 1.6.2-beta-1, which contains a critical security patch. It is highly recommended that all users of InvoicePlane upgrade to this patched version promptly to mitigate potential threats.

Affected Version(s)

InvoicePlane 1.6.0

InvoicePlane 1.6.1

References

https://vuldb.com/?id.288537
vdb-entrytechnical-description
https://vuldb.com/?ctiid.288537
signaturepermissions-required
https://vuldb.com/?submit.459908
third-party-advisory

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dan_AC (VulDB User)
.