Mickaël Benassouli

**Name of the Vulnerable Software and Affected Versions** Invoice Ninja versions prior to 5.10.43 **Description** The issue allows remote code execution from a pre-authenticated route when an attacker knows the `APP KEY`. This is exacerbated by .env files that have default `APP KEY` values. The route `route/{hash}` defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter `{hash}` is passed to the `decrypt` function that expects a Laravel ciphered value containing a serialized object. Laravel contains several gadget chains that can be used to trigger remote command execution from arbitrary deserialization. Therefore, an attacker in possession of the `APP KEY` can fully control a string passed to an `unserialize` function. **Recommendations** For versions prior to 5.10.43, upgrade to version 5.10.43 or later to resolve the issue. As a temporary workaround, consider restricting access to the `route/{hash}` route or disabling the `decrypt` function until a patch is applied. Additionally, ensure that default `APP KEY` values from .env files are changed to unique, secure values to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Crater Invoice (affected versions not specified) **Description** A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the `APP KEY` to achieve remote command execution on the server by manipulating the `laravel session` cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector relies on an attacker obtaining Laravel's secret `APP KEY`, which would allow them to decrypt and manipulate session cookies containing serialized data. By altering this data and re-encrypting it with the `APP KEY`, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Snipe-IT versions prior to 7.0.10 **Description** The issue allows remote code execution when an attacker knows the `APP KEY`, which is associated with cookie serialization. This is worsened by the availability of .env files from the product's repository that contain default `APP KEY` values. **Recommendations** For versions prior to 7.0.10, update to version 7.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `APP KEY` and ensuring that .env files do not contain default values.