CVE-2024-12478 in InvoicePlane
Summary
by MITRE • 12/16/2024
A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/15/2025
The vulnerability identified as CVE-2024-12478 represents a critical unrestricted file upload flaw in InvoicePlane version 1.6.1 and earlier. This security weakness resides within the upload_file function located at /index.php/upload/upload_file/1/1, where the application fails to properly validate file type inputs. The flaw allows remote attackers to bypass security controls and upload arbitrary files to the server, potentially leading to complete system compromise. The vulnerability's classification as critical stems from its remote exploitability and the potential for privilege escalation through malicious file uploads.
The technical implementation of this vulnerability demonstrates a classic input validation failure that maps to CWE-434, which specifically addresses unrestricted upload of file with dangerous type. The attack vector is entirely remote, meaning no local access or authentication is required to exploit the flaw. An attacker can simply send a malicious file through the vulnerable upload endpoint, which then gets processed and stored on the server without proper sanitization or type checking. This creates a pathway for attackers to execute malicious code, potentially leading to server compromise, data theft, or further network infiltration.
The operational impact of this vulnerability extends beyond simple file upload functionality, as it provides a potential entry point for more sophisticated attacks. When combined with other exploitation techniques, the unrestricted upload capability could enable attackers to deploy web shells, malware, or other malicious payloads that persist on the server. The fact that this exploit has been publicly disclosed increases the risk profile significantly, as it removes the element of zero-day advantage that attackers would otherwise possess. Organizations running vulnerable InvoicePlane installations face immediate risk of compromise and should prioritize remediation efforts.
Mitigation strategies for CVE-2024-12478 center exclusively on upgrading to version 1.6.2-beta-1 or later, as this represents the vendor's official fix for the vulnerability. The vendor's response demonstrates good security practices with early contact and rapid release of a patched version, which aligns with recommended incident response protocols. Organizations should implement immediate patch management procedures to address this vulnerability, as the exploit is publicly available and actively being used. Additional defensive measures include implementing proper file type validation, restricting upload directories, and monitoring upload activities for suspicious patterns. The vulnerability also highlights the importance of secure coding practices, particularly around file handling functions, as outlined in the OWASP Top Ten and MITRE ATT&CK framework categories related to web application security.