Invoiceplane
by Invoiceplane
Source repositories
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-12478 | 0.00 | — | 0.01 | Dec 16, 2024 | A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be… | |||
| CVE-2024-12362 | 0.00 | — | 0.01 | Dec 16, 2024 | A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The… | |||
| CVE-2023-23011 | 0.00 | — | 0.01 | Feb 7, 2023 | Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php. | |||
| CVE-2021-29024 | 0.00 | — | 0.01 | May 17, 2021 | In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication. | |||
| CVE-2021-29023 | 0.00 | — | 0.01 | May 17, 2021 | InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable. | |||
| CVE-2021-29022 | 0.00 | — | 0.01 | May 10, 2021 | In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory. | |||
| CVE-2019-7223 | 0.00 | — | 0.01 | Mar 16, 2019 | InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255. | |||
| CVE-2017-18217 | Med | 0.00 | 6.1 | 0.01 | Mar 5, 2018 | An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulnerable to Cross Site Scripting, related to application/modules/clients/views/view.php, application/modules/invoices/views/view.php, and… | ||
| CVE-2017-1000508 | Med | 0.00 | 6.1 | 0.01 | Feb 9, 2018 | Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later. |
- CVE-2024-12478Dec 16, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be…
- CVE-2024-12362Dec 16, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The…
- CVE-2023-23011Feb 7, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.
- CVE-2021-29024May 17, 2021risk 0.00cvss —epss 0.01
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.
- CVE-2021-29023May 17, 2021risk 0.00cvss —epss 0.01
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
- CVE-2021-29022May 10, 2021risk 0.00cvss —epss 0.01
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
- CVE-2019-7223Mar 16, 2019risk 0.00cvss —epss 0.01
InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255.
- risk 0.00cvss 6.1epss 0.01
An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulnerable to Cross Site Scripting, related to application/modules/clients/views/view.php, application/modules/invoices/views/view.php, and…
- risk 0.00cvss 6.1epss 0.01
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later.
Page 2 of 2