CVE-2025-67082
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceplane | invoiceplane | to 1.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated SQL injection in InvoicePlane versions up to 1.6.3. It occurs in the reporting functionality where the parameters 'minQuantity' and 'maxQuantity' are not properly sanitized before being used in SQL queries. This allows an attacker who is logged in to inject malicious SQL code via these parameters, potentially extracting arbitrary data from the database. [2]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can extract sensitive data from the database, and depending on their privileges, may also modify or delete data or abuse database functionality. This can lead to unauthorized disclosure of confidential information and potential disruption of the invoicing system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'minQuantity' and 'maxQuantity' parameters in the reporting functionality of InvoicePlane for SQL injection. Since it requires authentication, you can attempt to inject SQL payloads (such as single quotes or error-based SQL injection strings) into these parameters and observe if the application returns database errors or unexpected data. Specific commands would involve using tools like sqlmap with authentication cookies or manual testing via curl or browser developer tools to send crafted requests to the report generation endpoint, targeting these parameters. For example, using curl to send a POST request with 'minQuantity' or 'maxQuantity' set to a single quote (') and checking for SQL errors in the response. However, no exact commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade InvoicePlane to version 1.6.4 or later, where this SQL injection vulnerability has been fixed. Until the upgrade can be performed, restrict access to the reporting functionality to trusted authenticated users only, and consider applying web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'minQuantity' and 'maxQuantity' parameters. [2]