CVE-2019-7223

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.5

Description The issue is related to stored XSS via the invoice password parameter, also known as the "PDF password" field, in the "Create Invoice" option. The XSS payload is rendered at an "index.php/invoices/view/##" URI.

Recommendations For InvoicePlane version 1.5, as a temporary workaround, consider restricting access to the invoice password parameter in the index.php/invoices/ajax/save endpoint until a patch is available. Avoid using the invoice password parameter in the affected API endpoint until the issue is resolved.