InvoicePlane Incorrect Access Control Vulnerability in Invoice View Handler

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in InvoicePlane version 1.6.1. The issue arises from the invoices/view handler, which fails to properly verify ownership before disclosing invoice data. This allows authenticated users to access invoices belonging to other users by manipulating the invoice ID parameter, leading to unauthorized exposure of financial and customer information.

Impact

Exploitation of this vulnerability allows for unauthorized read access to invoices, violating user isolation and exposing sensitive financial and customer data.

Reproduction

To reproduce this vulnerability, log in as User A and access one of your invoices. Note the request used to view or download the invoice, which will include the invoice ID. Then, log in as User B and modify the invoice ID in the request to one belonging to User A. The invoice will load successfully, demonstrating the lack of ownership verification.

Remediation

Users are advised to update to the latest version of InvoicePlane, where this vulnerability has been addressed.