CVE-2023-23011 is assigned
Link: https://github.com/InvoicePlane/InvoicePlane
Multiple XSS vulnerabilities.
Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php
$filter_product = $this->input->get('filter_product');
//...
$data = array(
'products' => $products,
'families' => $families,
'filter_product' => $filter_product,
'filter_family' => $filter_family,
'default_item_tax_rate' => $default_item_tax_rate,
);
//...
$this->layout->load_view('products/modal_product_lookups', $data);
In file InvoicePlane-development\application\modules\products\views\modal_product_lookups.php
<?php echo $filter_product ?>
Vulnerability2: In file InvoicePlane-development\application\modules\invoices\controllers\Ajax.php with invoice_id
public function modal_create_recurring(){
$data = [
'invoice_id' => $this->input->post('invoice_id'),
'recur_frequencies' => $this->mdl_invoices_recurring->recur_frequencies,
];
$this->layout->load_view('invoices/modal_create_recurring', $data);
}
Then, it is printed without sanitization in file InvoicePlane-development\application\modules\invoices\views\modal_create_recurring.php
<?php echo $invoice_id; ?>
Similar to that:
Vulnerability3: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_create_recurring.php
Vulnerability4: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_create_credit.php
Vulnerability5: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_copy_quote.php
Vulnerability6: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_copy_invoice.php
Vulnerability7: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_change_client.php
Vulnerability8: payment_cf_exist in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_add_payment.php
Vulnerability9: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in the same page.
public function change_client(){
//...
$client_id = $this->input->post('client_id');
//....
$response = [
'success' => 1,
'quote_id' => $quote_id,
];
//...
echo json_encode($response);
}