CVE-2024-55555

Name of the Vulnerable Software and Affected Versions Invoice Ninja versions prior to 5.10.43

Description The issue allows remote code execution from a pre-authenticated route when an attacker knows the APP KEY. This is exacerbated by .env files that have default APP KEY values. The route route/{hash} defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the decrypt function that expects a Laravel ciphered value containing a serialized object. Laravel contains several gadget chains that can be used to trigger remote command execution from arbitrary deserialization. Therefore, an attacker in possession of the APP KEY can fully control a string passed to an unserialize function.

Recommendations For versions prior to 5.10.43, upgrade to version 5.10.43 or later to resolve the issue. As a temporary workaround, consider restricting access to the route/{hash} route or disabling the decrypt function until a patch is applied. Additionally, ensure that default APP KEY values from .env files are changed to unique, secure values to prevent exploitation.