CVE-2024-12478

CVSS 2.0 Score 6.5 of 10 (medium)

Details

Published Dec 16, 2024

CWE ID 434

CWE ID 284

Summary

CVE-2024-12478 is a critical vulnerability that affects InvoicePlane versions up to 1.6.1. The issue lies in the function upload_file of the index.php file, where manipulation of the file argument can lead to an unrestricted upload. This vulnerability can be exploited remotely, and the exploit has been disclosed to the public. To mitigate this risk, users are advised to upgrade to version 1.6.2-beta-1. The vendor responded promptly to the issue and released a fixed version of the product.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/1e5epy
https://www.cve.org/CVERecord?id=CVE-2024-12478
https://nvd.nist.gov/vuln/detail/CVE-2024-12478

Back to Vulnerability Database

CVE-2024-12478

CVSS 2.0 Score 6.5 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations