Primary

Context

Invoice Ninja Authenticated Server-Side Request Forgery Vulnerability Allowing Arbitrary File Read and Network Resource Requests

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Invoice Ninja versions 5.8.56 prior to 5.11.23. This vulnerability allows authenticated users to make arbitrary file read requests and access network resources on behalf of the application user.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal files and services, potentially allowing for further attacks or data exposure.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request that exploits the SSRF flaw. This can be done by manipulating the application's request handling to read arbitrary files or access network resources.

Remediation

Users can update to Invoice Ninja version 5.11.23 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.8

exploitability

6.4

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.8

exploitability

6.4

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Invoice Ninja Authenticated Server-Side Request Forgery Vulnerability Allowing Arbitrary File Read and Network Resource Requests

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Invoice Ninja

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating