CVE-2025-64012
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceplane | invoiceplane | 1.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64012 is an Insecure Direct Object Reference (IDOR) vulnerability in InvoicePlane version 1.6.1. It occurs because the invoices/view handler does not verify ownership before returning invoice data. This allows an authenticated user to access invoices belonging to other users by manipulating the invoice ID parameter in the request URL, leading to unauthorized disclosure of invoice data. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized read access to sensitive financial and customer information. It breaches tenant or user isolation by allowing users to view invoices that do not belong to them, potentially exposing confidential data and causing privacy and security risks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access invoice data belonging to other users by manipulating the invoice_id parameter in the URL path /invoices/view/{invoice_id} while authenticated as a different user. For example, you can log in as one user, capture the invoice_id from a legitimate invoice request, then log in as another user and try to access the first user's invoice by changing the invoice_id in the URL. If the invoice data is returned without proper ownership verification, the system is vulnerable. Commands to test this could include using curl or similar HTTP clients to send requests with modified invoice_id parameters, such as: curl -b cookies.txt https://your-invoiceplane-instance/invoices/view/{invoice_id} where cookies.txt contains the authenticated session cookies of the second user. Observing if unauthorized invoice data is returned indicates the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading InvoicePlane to a version later than 1.6.1 where this vulnerability has been addressed. Additionally, review and correct any URL endpoints related to guest download attachments as per the reverted commit to ensure proper access controls are enforced. Specifically, ensure that ownership or permission checks are implemented on invoice view and download handlers to prevent unauthorized access. If upgrading is not immediately possible, restrict access to the invoice view endpoints to trusted users and monitor for suspicious access patterns. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive financial and customer information by bypassing ownership checks on invoice data. Such unauthorized disclosure of personal and financial data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal data. Therefore, the vulnerability poses a risk to compliance with these common standards and regulations. [1]