Naui95

Name of the Vulnerable Software and Affected Versions: InvoicePlane version 1.5.11 Description: The issue concerns a lack of rate-limiting for password reset and the use of a weak mechanism to generate reset tokens, making them predictable. Recommendations: For InvoicePlane version 1.5.11, consider disabling the password reset feature until a patch is available to prevent potential exploitation. Restrict access to the password reset module to minimize the risk of exploitation. Avoid using the password reset functionality in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: InvoicePlane version 1.5.11 Description: The issue allows unauthenticated directory listing and file download due to a misconfigured web server. This enables an attacker to perform directory traversal and download files that are supposed to be private without needing authentication. Recommendations: For InvoicePlane version 1.5.11, consider reconfiguring the web server to prevent unauthenticated directory listing and file download as a temporary workaround. Restrict access to sensitive directories and files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.