Skip to content

Instantly share code, notes, and snippets.

@enferas
Last active January 21, 2023 11:56
Embed
What would you like to do?
XSS in InvoicePlane

CVE-2023-23011 is assigned

Link: https://github.com/InvoicePlane/InvoicePlane

Multiple XSS vulnerabilities.

Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php

$filter_product = $this->input->get('filter_product');
//...
$data = array(
      'products' => $products,
      'families' => $families,
      'filter_product' => $filter_product,
      'filter_family' => $filter_family,
      'default_item_tax_rate' => $default_item_tax_rate,
  );
//...
$this->layout->load_view('products/modal_product_lookups', $data);

In file InvoicePlane-development\application\modules\products\views\modal_product_lookups.php

<?php echo $filter_product ?>

Vulnerability2: In file InvoicePlane-development\application\modules\invoices\controllers\Ajax.php with invoice_id

  public function modal_create_recurring(){
      $data = [
          'invoice_id' => $this->input->post('invoice_id'),
          'recur_frequencies' => $this->mdl_invoices_recurring->recur_frequencies,
      ];

      $this->layout->load_view('invoices/modal_create_recurring', $data);
  }

Then, it is printed without sanitization in file InvoicePlane-development\application\modules\invoices\views\modal_create_recurring.php

<?php echo $invoice_id; ?>

Similar to that:

Vulnerability3: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_create_recurring.php

Vulnerability4: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_create_credit.php

Vulnerability5: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_copy_quote.php

Vulnerability6: invoice_id in InvoicePlane-development\application\modules\invoices\controllers\Ajax.php and printed in modal_copy_invoice.php

Vulnerability7: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_change_client.php

Vulnerability8: payment_cf_exist in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in modal_add_payment.php

Vulnerability9: quote_id in InvoicePlane-development\application\modules\quotes\controllers\Ajax.php and printed in the same page.

  public function change_client(){
     //...
      $client_id = $this->input->post('client_id');
      //....
          $response = [
              'success' => 1,
              'quote_id' => $quote_id,
          ];
      //...

      echo json_encode($response);
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment