Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7223
In file InvoicePlane-1.5.4\application\modules\invoices\controllers\Ajax.php
public function save(){
$db_array = [
'invoice_password' => $this->input->post('invoice_password'),
];
$this->mdl_invoices->save($invoice_id, $db_array);
}
In file InvoicePlane-1.5.4\application\modules\invoices\controllers\Invoices.php
public function view($invoice_id)
{
$invoice = $this->mdl_invoices->get_by_id($invoice_id);
$this->layout->set(
array(
'invoice' => $invoice,
)
);
$this->layout->buffer(
array(
array('content', 'invoices/view')
)
);
}
$this->layout->render();
}
In file InvoicePlane-1.5.4\application\modules\layout\controllers\Layout.php
class Layout extends MX_Controller
{
public function buffer()
{
$args = func_get_args();
if (count($args) == 1) {
foreach ($args[0] as $arg) {
$key = $arg[0];
$view = explode('/', $arg[1]);
$data = array_merge(isset($arg[2]) ? $arg[2] : array(), $this->view_data);
$this->view_data[$key] = $this->load->view($view[0] . '/' . $view[1], $data, true);
}
} else {
$key = $args[0];
$view = explode('/', $args[1]);
$data = array_merge(isset($args[2]) ? $args[2] : array(), $this->view_data);
$this->view_data[$key] = $this->load->view($view[0] . '/' . $view[1], $data, true);
}
return $this;
}
public function set()
{
$args = func_get_args();
if (count($args) == 1) {
foreach ($args[0] as $key => $value) {
$this->view_data[$key] = $value;
}
} else {
$this->view_data[$args[0]] = $args[1];
}
return $this;
}
public function render($view = 'layout')
{
$this->load->view('layout/' . $view, $this->view_data);
}
}
In file InvoicePlane-1.5.4\application\modules\invoices\views\view.php
value="<?php echo $invoice->invoice_password; ?>"