Vulnerability Details CVE-2021-29024
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 67.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/InvoicePlane/InvoicePlane/pull/754
- https://notnnor.github.io/research/2021/03/17/files-or-directories-accessible-to-external-parties-in-invoiceplane.html
- https://github.com/InvoicePlane/InvoicePlane/pull/754
- https://notnnor.github.io/research/2021/03/17/files-or-directories-accessible-to-external-parties-in-invoiceplane.html
Products affected by CVE-2021-29024
-
cpe:2.3:a:invoiceplane:invoiceplane:1.5.11