Invoiceplane
CVE-2018-12255
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.
AnalysisAI
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field. Affected products include: Invoiceplane.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Invoiceplane
View allInvoicePlane through 1.6.3 allows authenticated users to upload PHP files as attachments that can be executed remotely.
Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.
InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a mal
Unauthenticated attackers can read arbitrary files from InvoicePlane servers through path traversal in the Guest control
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Rated high
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" para
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerabilit
Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.
Stored XSS via SVG file upload in InvoicePlane 1.7.0 Login Logo functionality allows authenticated administrators to inj
Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing aut
Stored XSS in InvoicePlane 1.7.0 via malicious SVG file upload in the Invoice Logo function allows authenticated adminis
Stored XSS in InvoicePlane 1.7.0's Edit Quotes function allows authenticated administrators to inject malicious scripts
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today