- Description
- Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.
- Source
- cve@mitre.org
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-502
- Hype score
- Not currently trending
CVE-2024-55555 Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, availa… https://t.co/3ZB5kzu956
@CVEnew
8 Jan 2025
428 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Three CVEs affecting common open source Laravel projects were released on our website today! They were presented @GreHackConf by our ninjas @_remsio_ and @Kainx42 🥷 🛡️ Snipe-IT: CVE-2024-48987 🛡️ InvoiceNinja: CVE-2024-55555 🛡️ Crater Invoice: CVE-2024-55556
@Synacktiv
13 Dec 2024
2279 Impressions
9 Retweets
23 Likes
7 Bookmarks
1 Reply
1 Quote