CVE-2023-23011 is assigned Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php
Link: https://github.com/InvoicePlane/InvoicePlane
Multiple XSS vulnerabilities.
Vulnerability1: In file InvoicePlane-development\application\modules\products\controllers\Ajax.php
$filter_product = $this->input->get('filter_product');
//...
$data = array(
'products' => $products,
'families' => $families,
'filter_product' => $filter_product,
'filter_family' => $filter_family,
'default_item_tax_rate' => $default_item_tax_rate,
);
//...
$this->layout->load_view('products/modal_product_lookups', $data);
In file InvoicePlane-development\application\modules\products\views\modal_product_lookups.php
<?php echo $filter_product ?>