Lagathos

**Name of the Vulnerable Software and Affected Versions** Twenty CRM versions 1.7.7 through 1.16.7 **Description** A Remote Code Execution (RCE) issue exists via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If the Postgres user is a superuser, any authenticated user can execute arbitrary OS commands on the database server. This occurs because the `timeZone` parameter in the REST API 'groupBy' endpoint is directly interpolated into a raw SQL expression using JavaScript template literals without parameterization, validation, or escaping. This affects the `get-group-by-expression.util.ts` function. **Recommendations** For versions 1.7.7 through 1.16.7, update the software to a version where the `timeZone` parameter is properly sanitized. As a temporary workaround, restrict the database user permissions to ensure the Postgres user is not a superuser to prevent the execution of OS commands.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions 1.7.0 through 1.7.0 **Description** InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) issue exists through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public invoice template` setting to include poisoned log files containing PHP code. The vulnerability involves manipulating the `public invoice template` setting. **Recommendations** Update InvoicePlane to version 1.7.1.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions prior to 1.7.1 **Description** InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the `family name` field in version 1.7.0. The `family name` value is displayed without proper HTML encoding within the family dropdown on the product form. If an administrator creates a family with a malicious name, the payload will execute in the browser of any administrator accessing the product form. **Recommendations** Update to version 1.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions prior to 1.7.1 **Description** A Stored Cross-Site Scripting (XSS) issue exists in InvoicePlane. An authenticated administrator can inject malicious JavaScript through the Invoice Number field. This injected script executes when any administrator views the affected invoice or accesses the dashboard. **Recommendations** Update to version 1.7.1 or later.

**Name of the Vulnerable Software and Affected Versions** InvoicePlane version 1.7.0 InvoicePlane versions prior to 1.7.1 **Description** A Stored Cross-Site Scripting (XSS) issue exists in InvoicePlane. An authenticated administrator can inject malicious JavaScript through the Product Unit Name fields. This malicious code executes when any administrator views an invoice containing a product with the injected code. The vulnerable parameter is the Product Unit Name. **Recommendations** Update to version 1.7.1 or later.