58 matches found
Cross-site Scripting in Crater Invoice
Crater invoice prior to version 6.0.0 has a cross-site scripting vulnerability...
GHSA-6VFW-74WR-3CHH Cross-site Scripting in Crater Invoice
Crater invoice prior to version 6.0.0 has a cross-site scripting vulnerability...
CVE-2022-0372 Cross-site Scripting (XSS) - Stored in crater-invoice/crater
Cross-site Scripting XSS - Stored in Packagist bytefury/crater prior to 6.0.2...
Cross-Site Request Forgery (CSRF) in crater-invoice/crater
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...
Missing Authorization in Crater Invoice
Crater Invoice prior to version 6.0.2 has a missing authorization vulnerability...
GHSA-XH9G-CP3V-P8Q4 Missing Authorization in Crater Invoice
Crater Invoice prior to version 6.0.2 has a missing authorization vulnerability...
CVE-2022-0203
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2...
Improper access control
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2...
CVE-2022-0203 Improper Access Control in crater-invoice/crater
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2...
Crater Invoice crater 安全漏洞
Crater Invoice Crater is an open source web and mobile application from Crater Invoice, Inc. for tracking expenses, payments and creating professional invoices and estimates. Crater Invoice crater has a security vulnerability that stems from improper access control in the GitHub repository prior ...
CVE-2022-0242
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0...
CVE-2022-0242
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0...
CVE-2022-0242 Unrestricted Upload of File with Dangerous Type in crater-invoice/crater
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0...
Cross-site Scripting (XSS) - Stored in crater-invoice/crater
Description There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file Proof of Concept xss.svg:...
CVE-2021-4080 Unrestricted Upload of File with Dangerous Type in crater-invoice/crater
crater is vulnerable to Unrestricted Upload of File with Dangerous Type...
Crater Invoice Crater 代码问题漏洞
Crater Invoice Crater is an open source web and mobile application from Crater Invoice, Inc. for tracking expenses, payments and creating professional invoices and estimates. Crater Invoice crater suffers from a code issue vulnerability that stems from the unrestricted upload of dangerous types o...
Improper Access Control in crater-invoice/crater
Description In recent Crater version faf1ef09 tag: 5.0.6 I discovered, that not authenticated user can download all expense receipts uploaded to any company. Proof of Concept Python import requests for i in range1, 100: r = requests.getf'http://172.17.0.1:8080/expenses/i/download-receipt' if...
PHP Remote File Inclusion in crater-invoice/crater
Description No mime type restriction on file uploads, allowing an attacker to upload and execute arbitrary PHP code. Proof of Concept Login to the dashboard, preferably using your own localhost install. Go to "Expenses", "Settings Account" or "Settings Company". Upload any PHP file you want. Impa...