Session Expiration Vulnerability in InvoicePlane Software
CVE-2024-12667

5.9MEDIUM

Key Information:

Vendor

InvoicePlane

Status
Invoiceplane
Vendor
CVE Published:
16 December 2024

What is CVE-2024-12667?

CVE-2024-12667 is a high-risk vulnerability identified in InvoicePlane versions up to 1.6.1, which allows an attacker to exploit improper access controls in the '/invoices/view' functionality. This manipulation can lead to session expiration, potentially allowing unauthorized access to user sessions. While the complexity of the attack is considered high, the exploitation method has been disclosed publicly and could be leveraged by malicious actors to compromise the security of the application. The vulnerability has prompted the vendor to release a fixed version (1.6.2-beta-1), and it is critical for users to upgrade promptly to mitigate security risks.

Affected Version(s)

InvoicePlane 1.6.0

InvoicePlane 1.6.1

References

https://vuldb.com/?id.288536
vdb-entry
https://vuldb.com/?ctiid.288536
signaturepermissions-required
https://vuldb.com/?submit.449923
third-party-advisory

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

fahadletsleep (VulDB User)
.