Invoice Ninja Remote Code Execution Vulnerability via Unauthenticated Route

A remote code execution vulnerability has been identified in Invoice Ninja versions 5.8.22 through 5.10.10. The issue arises from an unauthenticated route that allows attackers to execute arbitrary code if they know the APP_KEY. This vulnerability is compounded by default APP_KEY values in several .env files available in the product's repository. The vulnerable route, defined in 'invoiceninja/routes/client.php', accepts a parameter that is decrypted and unserialized, allowing for exploitation through Laravel's serialization mechanisms.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected server.

Reproduction

The vulnerability can be reproduced by accessing the '/route/{hash}' endpoint with a Laravel-ciphered value that, when decrypted, leads to a payload capable of executing commands on the server. This requires knowledge of the APP_KEY, which can be obtained from default values in the application's .env files.

Remediation

Users are advised to upgrade Invoice Ninja to version 5.10.11 or later.