VYPR

Invoiceplane

by Invoiceplane

Source repositories

CVEs (29)

  • CVE-2024-12478Dec 16, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be…

  • CVE-2024-12362Dec 16, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The…

  • CVE-2023-23011Feb 7, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.

  • CVE-2021-29024May 17, 2021
    risk 0.00cvss epss 0.01

    In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.

  • CVE-2021-29023May 17, 2021
    risk 0.00cvss epss 0.01

    InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.

  • CVE-2021-29022May 10, 2021
    risk 0.00cvss epss 0.01

    In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.

  • CVE-2019-7223Mar 16, 2019
    risk 0.00cvss epss 0.01

    InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255.

  • CVE-2017-18217MedMar 5, 2018
    risk 0.00cvss 6.1epss 0.01

    An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulnerable to Cross Site Scripting, related to application/modules/clients/views/view.php, application/modules/invoices/views/view.php, and…

  • CVE-2017-1000508MedFeb 9, 2018
    risk 0.00cvss 6.1epss 0.01

    Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later.

Page 2 of 2