Dawood Ansar

**Name of the Vulnerable Software and Affected Versions** InvoicePlane version 1.5 **Description** The issue is related to stored XSS via the `invoice password` parameter, also known as the "PDF password" field, in the "Create Invoice" option. The XSS payload is rendered at an "index.php/invoices/view/##" URI. **Recommendations** For InvoicePlane version 1.5, as a temporary workaround, consider restricting access to the `invoice password` parameter in the index.php/invoices/ajax/save endpoint until a patch is available. Avoid using the `invoice password` parameter in the affected API endpoint until the issue is resolved.