HQ/EMEAFind out how we can help your business
Invoice Ninja, a well-known open-source invoicing and project management software, suffers from a Server-Side Request Forgery (SSRF) vulnerability. Reports revealed this flaw could allow attackers to access sensitive files on the system’s host server.
Researchers track this vulnerability as CVE-2024-53353. Moreover, it could significantly affect Invoice Ninja’s PDF creation feature, which attackers can use to exploit the SSRF vulnerability.
Also, it allows both local users who can create or change invoices and low-privileged client portal users to inject malicious payloads during PDF production. Once exploited, attackers could access critical files, such as the /etc/passwd file or the [.]env configuration file, which often contains database credentials.
The Invoice Ninja flaw can provide sensitive data through a PDF.
The Invoice Ninja vulnerability assessment explains that clients with access to the client portal can activate the attack transmitter by altering their data when a quote is generated. Additionally, the affected entity uses a blacklist filter to prevent potentially dangerous HTML tags and protocols.
However, this process has significant limitations since attackers can bypass filters through case variations or alternative representations.
In the main portal scenario, an attacker with “Create/Edit Invoice” permissions could deploy a payload like in the invoice description field. This action extracts the contents of sensitive files into the generated PDF.
Similarly, a low-privileged user could deploy malicious payloads into their profile settings in the client portal scenario, exploiting the PDF generation triggered when viewing a quote. An attacker accessing the leading portal can use the “Description” field during the invoice creation. Injecting into the field exposed the contents of the “.env” file, including database and service credentials.
Low-privileged users can exploit this weakness by launching malicious payloads into editable profile fields. The payload is executed during PDF production for a quote, allowing hackers to retrieve sensitive files even with restricted access privileges.
This vulnerability poses a significant security danger, particularly on systems where the .env file contains hardcoded credentials. Hence, the researchers advise the public that an attacker who knows the application’s entire path can use payloads to view the contents of crucial files. This process may then reveal details containing cleartext credentials and other sensitive data.
Therefore, users should install the security updates from the Invoice Ninja development team to reduce or prevent the risk of CVE-2024-53353.
