Invoiceplane: >> Invoiceplane Security Vulnerabilities
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.
CVSS Score
9.8
EPSS Score
0.005
Published
2025-03-28
A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Score
3.7
EPSS Score
0.001
Published
2024-12-16
Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-02-07
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-05-17
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.
CVSS Score
7.5
EPSS Score
0.008
Published
2021-05-17
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-05-10
InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-03-21
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-07-03
An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulnerable to Cross Site Scripting, related to application/modules/clients/views/view.php, application/modules/invoices/views/view.php, and application/modules/quotes/views/view.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-03-05
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-02-09
Page 1