File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
InvoicePlane application does not properly verify the type or content of files uploaded in the attachments module. An authenticated user can upload a PHP file instead of an allowed attachment. After uploading the file to the server, an attacker can invoke it through a browser or direct HTTP request, which results in executing PHP code in the context of the web server. This way it is possible to gain full control over the server environment.
An attacker with access to an account in the application can execute arbitrary code on the server (RCE), which can lead to taking control of the system, data theft, backdoor installation, or further lateral movement in the network.
Patches available from the vendor should be applied according to the references. Until the fix is implemented, it is recommended to restrict access to the application only to trusted users and configure the web server so that files in attachment directories are not executable (e.g., block PHP execution in the uploads directory).
InvoicePlane in version 1.6.3 and earlier
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HInvoiceplane
APPInvoiceplane< 1.6.4
Related vulnerabilities
Path traversal w InvoicePlane umożliwia odczyt dowolnych plików bez uwierzytelnienia
RCE w InvoicePlane 1.7.0 via LFI i Log Poisoning
RCE w InvoicePlane — niebezpieczne przesyłanie plików (upload_file)
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. ...
InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can up...