CVE-2024-12362 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-12362?

CVE-2024-12362 has a CVSS score of 4.3 (MEDIUM). This CVE describes a path traversal vulnerability in InvoicePlane's invoices.php file that allows attackers to access arbitrary files on the server by manipulating invoice parameters. The vulnerability affects InvoicePlane installations up to version 1.6.1 and can be exploited remotely without authentication. Organizations using vulnerable versions of InvoicePlane for invoicing and billing are at risk.

📋 TL;DR

This CVE describes a path traversal vulnerability in InvoicePlane's invoices.php file that allows attackers to access arbitrary files on the server by manipulating invoice parameters. The vulnerability affects InvoicePlane installations up to version 1.6.1 and can be exploited remotely without authentication. Organizations using vulnerable versions of InvoicePlane for invoicing and billing are at risk.

💻 Affected Systems

Products:

InvoicePlane

Versions: up to 1.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Invoiceplane by Invoiceplane

View all CVEs affecting Invoiceplane →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or application data, potentially leading to credential theft, data exfiltration, or further system compromise.

🟠

Likely Case

Attackers access application configuration files, source code, or other files within the web directory, potentially obtaining database credentials or other sensitive information.

🟢

If Mitigated

With proper file permissions and web server configuration, impact is limited to files accessible by the web server user, preventing access to critical system files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in the GitHub pull request and vulnerability databases.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2-beta-1

Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1

Restart Required: No

Instructions:

1. Backup your current InvoicePlane installation and database. 2. Download version 1.6.2-beta-1 from GitHub releases. 3. Replace the vulnerable files with patched versions. 4. Verify the application functions correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize invoice parameters before processing

Modify invoices.php to validate and sanitize the 'invoice' parameter using realpath() and checking for directory traversal sequences

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block path traversal patterns in requests
Restrict file system permissions for the web server user to limit accessible directories

🔍 How to Verify

Check if Vulnerable:

Check InvoicePlane version in application settings or by examining the source code version markers

Check Version:

Check the application dashboard or examine the application's configuration files for version information

Verify Fix Applied:

Verify the application version is 1.6.2-beta-1 or later and test the download functionality with path traversal attempts

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Requests containing '../' sequences in invoice parameters
Access to files outside expected invoice directories

Network Indicators:

HTTP requests with path traversal sequences in parameters
Unusual file download patterns from the invoices endpoint

SIEM Query:

web.url:*invoices.php* AND (web.param:*../* OR web.param:*..\*)

📊 Metadata

CVE ID: CVE-2024-12362

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

Published: December 16, 2024

Last Updated: October 15, 2025

🔗 References

https://github.com/InvoicePlane/InvoicePlane/pull/1127 Issue Tracking
https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1 Release Notes
https://vuldb.com/?ctiid.288537 Permissions Required,VDB Entry
https://vuldb.com/?id.288537 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.459908 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12362, you might also want to check these: