VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 26, 2022· Updated Aug 2, 2024

Improper Access Control in crater-invoice/crater

CVE-2022-0203

Description

Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Crater prior to 6.0.2 contains improper access control allowing unauthenticated or low-privileged users to delete invoices, payment methods, and download expense receipts.

Vulnerability

CVE-2022-0203 is an improper access control vulnerability in the open-source invoicing application Crater, affecting versions prior to 6.0.2. The issue resides in multiple controllers: the InvoiceController::delete() method (previously calling Invoice::destroy() instead of the patched Invoice::deleteInvoices()), the PaymentMethodController::destroy() method, and the DownloadReceiptController::__invoke() method. These endpoints were missing proper authorization checks, allowing unauthorized actions on invoices, payment methods, and expense receipts [1][2][4].

Exploitation

An attacker with network access to the Crater web application—either unauthenticated or with a low-privileged user account—can exploit this vulnerability by sending crafted HTTP requests to the affected endpoints. For example, the InvoiceController::delete() method lacked authorization for deleting multiple invoices, and the DownloadReceiptController did not enforce that the authenticated user had permission to view the expense receipt. The attacker can call these endpoints directly without prior interaction from a privileged user [2][4].

Impact

Successful exploitation allows an attacker to delete invoices, payment methods, and download expense receipts belonging to other users or companies without proper authorization. This leads to loss of critical financial data (availability impact) and unauthorized disclosure of receipt files (confidentiality impact). The vulnerability does not directly provide code execution, but the data deletion can disrupt business operations [1][4].

Mitigation

The vulnerability is fixed in Crater version 6.0.2, released on the same date the fix was committed (2022-01-26). The fix enforces authorization checks via Laravel's authorize() method in the affected controllers, and introduces a new deleteInvoices() static method that safely deletes related transactions. Users should upgrade to version 6.0.2 or later immediately. No workaround is provided, and the vulnerability is not listed in CISA's KEV as of the publication date [2][3][4].

References
  1. NVD - CVE-2022-0203
  2. solve payment method delete issue · crater-invoice-inc/crater@dd324c8
  3. GitHub - crater-invoice-inc/crater: Open Source Invoicing Solution for Individuals & Businesses
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bytefury/craterPackagist
< 6.0.26.0.2

Affected products

2

Patches

1
dd324c8bb6b1

solve payment method delete issue

https://github.com/crater-invoice/craterjayvirsinh_gohilJan 13, 2022via ghsa
commit
5 files changed · +28 4
  • app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php+1 1 modified
    @@ -102,7 +102,7 @@ public function delete(DeleteInvoiceRequest $request)
     {
         $this->authorize('delete multiple invoices');
 
-        Invoice::destroy($request->ids);
+        Invoice::deleteInvoices($request->ids);
 
         return response()->json([
             'success' => true,
  • app/Http/Controllers/V1/Admin/Payment/PaymentMethodsController.php+5 3 modified
    @@ -84,12 +84,14 @@ public function destroy(PaymentMethod $paymentMethod)
     {
         $this->authorize('delete', $paymentMethod);
 
-        $payments = $paymentMethod->payments;
-
-        if ($payments->count() > 0) {
+        if ($paymentMethod->payments()->exists()) {
             return respondJson('payments_attached', 'Payments Attached.');
         }
 
+        if ($paymentMethod->expenses()->exists()) {
+            return respondJson('expenses_attached', 'Expenses Attached.');
+        }
+
         $paymentMethod->delete();
 
         return response()->json([
  • app/Http/Controllers/V1/PDF/DownloadReceiptController.php+2 0 modified
    @@ -17,6 +17,8 @@ class DownloadReceiptController extends Controller
      */
     public function __invoke(Expense $expense)
     {
+        $this->authorize('view', $expense);
+
         if ($expense) {
             $media = $expense->getFirstMedia('receipts');
             if ($media) {
  • app/Models/Invoice.php+15 0 modified
    @@ -698,4 +698,19 @@ public function changeInvoiceStatus($amount)
 
         $this->save();
     }
+
+    public static function deleteInvoices($ids)
+    {
+        foreach ($ids as $id) {
+            $invoice = self::find($id);
+
+            if ($invoice->transactions()->exists()) {
+                $invoice->transactions()->delete();
+            }
+
+            $invoice->delete();
+        }
+
+        return true;
+    }
 }
  • app/Models/PaymentMethod.php+5 0 modified
    @@ -31,6 +31,11 @@ public function payments()
         return $this->hasMany(Payment::class);
     }
 
+    public function expenses()
+    {
+        return $this->hasMany(Expense::class);
+    }
+
     public function company()
     {
         return $this->belongsTo(Company::class);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.