CVE-2024-12362

EPSS 0.53%
Veröffentlicht 16.12.2024 10:15:05
Zuletzt bearbeitet 15.10.2025 17:42:53
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

InvoicePlane invoices.php download path traversal

A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Invoiceplane ≫ Invoiceplane Version <= 1.6.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.407

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cna@vuldb.com	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/InvoicePlane/InvoicePlane/pull/1127

Issue Tracking

https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1

Release Notes

https://vuldb.com/?ctiid.288537

VDB Entry

Permissions Required

https://vuldb.com/?id.288537

Third Party Advisory

VDB Entry

https://vuldb.com/?submit.459908

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2024-12362

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12362

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12362

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-12362