Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12255
In file InvoicePlane-1.5.4\application\modules\quotes\controllers\Ajax.php
public function save()
{
$db_array = array(
'quote_password' => $this->input->post('quote_password'),
);
$this->mdl_quotes->save($quote_id, $db_array);
}In file C:\projects\ci\InvoicePlane-1.5.4\application\modules\quotes\controllers\Quotes.php
public function view($quote_id){
$quote = $this->mdl_quotes->get_by_id($quote_id);
$this->layout->set(
array(
'quote' => $quote,
)
);
$this->layout->buffer(
array(
array('content', 'quotes/view')
)
);
$this->layout->render();
}In file InvoicePlane-1.5.4\application\modules\layout\controllers\Layout.php
class Layout extends MX_Controller
{
public function buffer()
{
$args = func_get_args();
if (count($args) == 1) {
foreach ($args[0] as $arg) {
$key = $arg[0];
$view = explode('/', $arg[1]);
$data = array_merge(isset($arg[2]) ? $arg[2] : array(), $this->view_data);
$this->view_data[$key] = $this->load->view($view[0] . '/' . $view[1], $data, true);
}
} else {
$key = $args[0];
$view = explode('/', $args[1]);
$data = array_merge(isset($args[2]) ? $args[2] : array(), $this->view_data);
$this->view_data[$key] = $this->load->view($view[0] . '/' . $view[1], $data, true);
}
return $this;
}
public function set()
{
$args = func_get_args();
if (count($args) == 1) {
foreach ($args[0] as $key => $value) {
$this->view_data[$key] = $value;
}
} else {
$this->view_data[$args[0]] = $args[1];
}
return $this;
}
public function render($view = 'layout')
{
$this->load->view('layout/' . $view, $this->view_data);
}
}In file InvoicePlane-1.5.4\application\modules\quotes\views\view.php
value="<?php echo $quote->quote_password; ?>">