InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. It is possible for an attacker to upload a script which is able to compromise the webserver.
References
Link | Resource |
---|---|
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170523-0_InvoicePlane_Upload_arbitrary_files_stored_XSS_v10.txt | Exploit Issue Tracking Third Party Advisory |
Configurations
Information
Published : 2017-11-16 19:29
Updated : 2017-11-30 11:15
NVD link : CVE-2017-1000238
Mitre link : CVE-2017-1000238
JSON object : View
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
Products Affected
invoiceplane
- invoiceplane