CVE-2023-23011

CVE-2023-23011.md

CVE-2023-23011 is assigned Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php

Link: https://github.com/InvoicePlane/InvoicePlane

Multiple XSS vulnerabilities.

Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php

$filter_product = $this->input->get('filter_product');
//...
$data = array(
      'products' => $products,
      'families' => $families,
      'filter_product' => $filter_product,
      'filter_family' => $filter_family,
      'default_item_tax_rate' => $default_item_tax_rate,
  );
//...
$this->layout->load_view('products/modal_product_lookups', $data);

In file InvoicePlane-development\application\modules\products\views\modal_product_lookups.php

<?php echo $filter_product ?>