ISECURION is actively involved to secure the open source applications, and dedicating our time, talent and resources for the greater good, it was never a severity or name based hunt for us, we involve in security testing of all type platforms in information security such as application, network and hardware etc.
As part of testing we found vulnerability in the InvoicePlane application of version 1.5.0. InvoicePlane is a self-hosted open source application for managing quotes, invoices, clients and payments, there are some fields in the application which were vulnerable to the cross site scripting, this cross site scripting vulnerability found to be stored and DOM based, cross site scripting is vulnerability which arises when user entered data is stored and later rendered in application response in an unsafe way.
An attacker can use this vulnerability to inject malicious code into the application, which will execute in the browser of any user who is viewing the relevant application content. The attacker code can perform wide variety of actions such as stealing the target user cookies or performing actions on their behalf and also can capture the keystrokes of the user.
The application parameters “Email address” and “web address” of “Add Client” functionality is vulnerable to the cross site scripting which shown in below figure
After saving the form injected code is executed by the browser in immediate response, and it is also executed whenever user accessing the client information while preparing the invoices or performing other operations which involved the client details and results the vulnerability as stored type can be seen in below figures.
08-Sep-2017: Vulnerability is reported to vendor
10-Sep-2017: Vendor confirmed the vulnerability
13-Feb-2018: Vendor fixed the vulnerability in later version (i.e. InvoicePlane 1.5.6)
06-Mar-2018: CVE-2017-18217 assigned for the vulnerability
The InvoicePlane team has taken this reported vulnerability into consideration and co-related with team ISECRUION towards patching the vulnerability. We appreciate the actions of InvoicePlane towards securing the application.