CVE-2021-33898

Name of the Vulnerable Software and Affected Versions Invoice Ninja versions prior to 4.4.0

Description The issue is related to an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php, which may allow an attacker to deserialize arbitrary PHP classes. This can result in remote code execution in certain contexts. The attacker's input must be hosted at http://www.geoplugin.net, and a successful attack requires spoofing that site or obtaining control of it.

Recommendations For versions prior to 4.4.0, update to version 4.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the unserialize() function in app/Ninja/Repositories/AccountRepository.php until a patch is available. Restrict access to the AccountRepository.php file to minimize the risk of exploitation. Avoid using the unserialize() function in the affected context until the issue is resolved.