CVE-2024-55556

Name of the Vulnerable Software and Affected Versions Crater Invoice (affected versions not specified)

Description A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP KEY to achieve remote command execution on the server by manipulating the laravel session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector relies on an attacker obtaining Laravel's secret APP KEY, which would allow them to decrypt and manipulate session cookies containing serialized data. By altering this data and re-encrypting it with the APP KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.