Skip to main content

Invoiceplane CVE-2024-12667

MEDIUM
Insufficient Session Expiration (CWE-613)
2024-12-16 cna@vuldb.com
6.3
CVSS 4.0 · Vendor: vuldb
Share

Severity by source

Vendor (vuldb) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vuldb) · only source for this CVE.

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Dec 16, 2024 - 20:15 cve.org
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-613. A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. Affected products include: Invoiceplane. Version information: up to 1.6.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-67084 CRITICAL POC
9.9 Jan 15

InvoicePlane through 1.6.3 allows authenticated users to upload PHP files as attachments that can be executed remotely.

CVE-2026-25548 CRITICAL POC
9.1 Feb 18

Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.

CVE-2017-1000238 HIGH POC
8.8 Nov 17

InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a mal

CVE-2026-23491 HIGH POC
7.5 Feb 18

Unauthenticated attackers can read arbitrary files from InvoicePlane servers through path traversal in the Guest control

CVE-2021-29024 HIGH POC
7.5 May 17

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Rated high

CVE-2025-67082 MEDIUM POC
6.5 Jan 15

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" para

CVE-2024-56975 CRITICAL
9.8 Mar 28

InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerabilit

CVE-2023-23011 MEDIUM POC
6.1 Feb 07

Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.

CVE-2018-12255 MEDIUM POC
6.1 Jul 03

An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field. Rated medium severity (

CVE-2026-24745 MEDIUM POC
5.7 Feb 18

Stored XSS via SVG file upload in InvoicePlane 1.7.0 Login Logo functionality allows authenticated administrators to inj

CVE-2026-24744 MEDIUM POC
5.7 Feb 18

Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing aut

CVE-2026-24743 MEDIUM POC
5.7 Feb 18

Stored XSS in InvoicePlane 1.7.0 via malicious SVG file upload in the Invoice Logo function allows authenticated adminis

Share

CVE-2024-12667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy