We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-55555



Description

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.

Reserved 2024-12-08 | Published 2025-01-07 | Updated 2025-01-07 | Assigner mitre

References

github.com/...ommit/d9302021472c3e7e23bac8c3d5fbec57a5f38f0c

www.synacktiv.com/...ote-command-execution-when-appkey-known

cve.org (CVE-2024-55555)

nvd.nist.gov (CVE-2024-55555)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-55555

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.