Unrestricted File Upload Vulnerability in InvoicePlane
CVE-2024-12478

6.3MEDIUM

Key Information:

Vendor

InvoicePlane

Status
Invoiceplane
Vendor
CVE Published:
16 December 2024

What is CVE-2024-12478?

CVE-2024-12478 is a critical vulnerability discovered in InvoicePlane, specifically affecting versions up to 1.6.1. The vulnerability arises from the 'upload_file' function in the file '/index.php/upload/upload_file/1/1', which allows remote attackers to exploit it for unrestricted file uploads. This poses a significant risk, as it can lead to remote code execution on vulnerable installations. The vendor has promptly addressed the issue by releasing version 1.6.2-beta-1 as a patch. Users are highly encouraged to upgrade to this version to mitigate potential exploitation.

Affected Version(s)

InvoicePlane 1.6.0

InvoicePlane 1.6.1

References

https://vuldb.com/?id.288538
vdb-entrytechnical-description
https://vuldb.com/?ctiid.288538
signaturepermissions-required
https://vuldb.com/?submit.459910
third-party-advisory

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dan_AC (VulDB User)
.