CVE-2024-55555
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2024-55555 is a remote code execution vulnerability affecting Invoice Ninja before version 5.10.43. An attacker who knows the application key can exploit a pre-authenticated route, which is defined in the client.php file, to execute arbitrary code. The issue is worsened by default APP_KEY values found in .env files publicly available in the product's repository. The decrypt function in the route/{hash} route expects a Laravel ciphered value, but an attacker can pass a maliciously crafted string to an unserialize function, taking full control of the application. This vulnerability can potentially lead to serious consequences, including unauthorized access and data theft.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Invoice Ninja v5