Dan_Ac

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions up to 1.6.1 **Description** A vulnerability was found in InvoicePlane, affecting the function download of the file invoices.php. The manipulation of the `invoice` argument leads to path traversal. It is possible to initiate the attack remotely. The vendor was contacted early and quickly released a fixed version of the affected product. **Recommendations** For InvoicePlane versions up to 1.6.1, upgrade to version 1.6.2-beta-1 to address this issue. As a temporary workaround, consider restricting access to the `invoices.php` file until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions up to 1.6.1 **Description** A critical vulnerability affects the `upload file` function of the file "/index.php/upload/upload file/1/1". The manipulation of the `file` argument leads to unrestricted upload. The attack can be initiated remotely. The vendor was contacted early and responded professionally, quickly releasing a fixed version of the affected product. **Recommendations** For InvoicePlane versions up to 1.6.1, upgrade to version 1.6.2-beta-1 to address this issue. As a temporary workaround, consider restricting access to the `upload file` function until the upgrade is applied.