Invoiceninja
Monthly
Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.
Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.
Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.
Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.