CVE-2026-5234

Name of the Vulnerable Software and Affected Versions LatePoint versions prior to 5.3.3

Description An Insecure Direct Object Reference exists because the OsStripeConnectController::create payment intent for transaction() function is registered as a public action requiring no authentication. The system loads invoices using sequential integer invoice id values without verifying ownership or requiring an access key. This allows unauthenticated attackers to enumerate valid invoice IDs through error messages and create unauthorized transaction intent records containing sensitive financial data, including invoice id, order id, customer id, and charge amount. Additionally, on sites using Stripe Connect, the response leaks payment intent client secret tokens, transaction intent key values, and payment amounts for any invoice.

Recommendations Update to a version newer than 5.3.2.