CVE-2026-24746
📋 TL;DR
InvoicePlane 1.7.0 has a stored XSS vulnerability in the Edit Quotes function where the quote_number parameter lacks input validation. Attackers with administrator access can inject malicious scripts that execute when other users view quotes, potentially compromising the application. Only InvoicePlane 1.7.0 installations are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full application takeover, data theft/modification, persistent backdoor installation, and complete loss of system integrity.
Likely Case
Privileged user session hijacking, unauthorized data manipulation, and potential lateral movement within the application.
If Mitigated
Limited impact due to required admin privileges and proper input validation/sanitization in place.
🎯 Exploit Status
Exploitation requires administrator access but is technically simple once authenticated. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj
Restart Required: No
Instructions:
1. Backup your InvoicePlane database and files. 2. Download InvoicePlane 1.7.1 from the official repository. 3. Replace all files except the /uploads and /application/config directories. 4. Clear browser cache and test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom input validation/sanitization for the quote_number parameter in the Edit Quotes function
Modify application/controllers/Quotes.php to add htmlspecialchars() or similar sanitization to quote_number input
🧯 If You Can't Patch
- Restrict administrator account access to trusted users only and implement strict access controls
- Implement web application firewall (WAF) rules to block XSS payloads in quote_number parameter
🔍 How to Verify
Check if Vulnerable:
Check if running InvoicePlane version 1.7.0 by viewing the version in the application footer or checking the application/config/version.php fileCheck Version:
grep 'IP_VERSION' application/config/version.phpVerify Fix Applied:
After upgrading to 1.7.1, verify the fix by checking the GitHub commit 93622f2df88a860d89bfee56012cabb2942061d6 is applied in your codebase📡 Detection & Monitoring
Log Indicators:
- Unusual quote_number parameter values containing script tags or JavaScript in application logs
- Multiple failed login attempts followed by successful admin login and quote editing
Network Indicators:
- HTTP POST requests to /quotes/edit containing suspicious script payloads in parameters
SIEM Query:
source="invoiceplane.log" AND ("quote_number=" AND ("<script" OR "javascript:" OR "onerror="))