提出 #449923: GitHub InvoicePlane v1.6.1 Improper Access Controls情報

タイトルGitHub InvoicePlane v1.6.1 Improper Access Controls
説明This report details a critical vulnerability identified within InvoicePlane, a web application used for invoice management. The vulnerability exists in the /invoices/view endpoint, which fails to properly validate session state and authorization after a user logs out. This allows unauthorized access to sensitive invoice data, potentially leading to data breaches, regulatory violations, and session hijacking. Vulnerability Description The /invoices/view endpoint in InvoicePlane lacks proper session management controls. After a user logs out, the application fails to invalidate the session token effectively, allowing access to previously viewed invoices. This weakness can be exploited as follows: Login: A user logs in to the application and accesses an invoice using the /invoices/view endpoint (e.g., /invoices/view/4178). Logout: The user logs out of the application. Intercept Request (Optional): An attacker can capture the request sent to /invoices/view using a tool like Burp Suite. Replay Request: The attacker replays the captured request (or manually constructs a similar request) to the /invoices/view endpoint after the user has logged out. Unauthorized Access: Despite being logged out, the attacker can still access invoice details due to the lack of proper session validation. This exposes sensitive information such as invoice amounts, client details, and product information. Impact Unauthorized Access to Sensitive Data: Attackers can gain unauthorized access to confidential invoice data, including financial information and client details. Data Breaches and Regulatory Violations: This vulnerability creates a high risk of data breaches, potentially leading to financial losses and regulatory violations depending on the type of data exposed. Session Hijacking: Exploiting this vulnerability could also be a stepping stone for session hijacking attacks, allowing attackers to completely take over a user's session. Severity This vulnerability is rated as High due to the potential for unauthorized access to sensitive data, data breaches, and regulatory violations. Affected Endpoint: /invoices/view/{id} Suggested Fixes To mitigate this vulnerability, InvoicePlane should implement the following: Server-Side Token Invalidation: Upon user logout, the server should invalidate any associated session tokens, preventing their further use. Strict Session Validation: The /invoices/view endpoint should enforce strict session validation checks to ensure a valid and active user session before granting access. Proper Authorization Mechanisms: Implement appropriate authorization controls based on user roles and permissions. This guarantees only authorized users can access specific invoices. Cache Control Headers: Enforce appropriate cache control headers to prevent browsers from caching sensitive invoice data. Recommendation I strongly recommend InvoicePlane developers address this vulnerability promptly to protect user data and application security. Implementing the suggested fixes will significantly reduce the risk of unauthorized access to sensitive information. GitHub Link To Project: https://github.com/InvoicePlane/InvoicePlane
ソース⚠️ https://demo.invoiceplane.com/invoices/view/4178
ユーザー
 fahadletsleep (UID 73320)
送信2024年11月22日 08:24 (2 年 ago)
モデレーション2024年12月16日 10:32 (24 days later)
ステータス承諾済み
VulDBエントリ288536 [InvoicePlane 迄 1.6.1 /invoices/view 弱い認証]
ポイント20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!