PT-2024-17570 · Unknown · Invoiceplane
Dan_Ac
·
Published
2024-12-16
·
Updated
2025-10-15
·
CVE-2024-12362
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
InvoicePlane versions up to 1.6.1
Description
A vulnerability was found in InvoicePlane, affecting the function download of the file invoices.php. The manipulation of the
invoice argument leads to path traversal. It is possible to initiate the attack remotely. The vendor was contacted early and quickly released a fixed version of the affected product.Recommendations
For InvoicePlane versions up to 1.6.1, upgrade to version 1.6.2-beta-1 to address this issue. As a temporary workaround, consider restricting access to the
invoices.php file until the upgrade is applied.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Invoiceplane