Critical SSRF Vulnerability (CVE-2024-53353) Found in Invoice Ninja
A newly identified Server-Side Request Forgery (SSRF) vulnerability in Invoice Ninja, a popular open-source invoicing and project management platform, could allow attackers to read sensitive files from the system’s host server. This vulnerability, tracked as CVE-2024-53353, was discovered by security researcher Arben Shala at Pretera, who has detailed its potential impact on users and organizations relying on Invoice Ninja.
Invoice Ninja, built with Laravel, includes a PDF generation feature that attackers can exploit to trigger the SSRF vulnerability. The flaw allows both local users with permissions to create or edit invoices and low-privileged client portal users to inject malicious payloads during PDF generation. Once exploited, attackers could access critical files, such as the “/etc/passwd” file or the “.env” configuration file, which often contains database credentials, SMTP credentials, and other sensitive information.
“The same attack vector can be triggered by clients that have access to the client portal, so they can modify their personal data to trigger the attack when a quote gets generated for them,” the analysis explains.
The vulnerability resides in the PDF generation process. Static code analysis revealed that Invoice Ninja uses a blacklist filter to prevent potentially dangerous HTML tags and protocols. However, this approach has significant limitations, as attackers can bypass filters through case variations or alternative representations. For instance, the filter targets “file://”, but attackers could circumvent it with “File://” or similar variations.
PDF rendered with the content of “/etc/passwd” file | Source: Pretera
In the main portal scenario, an attacker with “Create/Edit Invoice” permissions could input a payload like <embed src=”File:///etc/passwd”> in the invoice description field. This action renders the contents of sensitive files into the generated PDF. Similarly, in the client portal scenario, a low-privileged user could inject malicious payloads into their profile settings, exploiting the PDF generation triggered when viewing a quote.
An attacker with access to the main portal can exploit the “Description” field in the invoice creation process. The researcher demonstrated that injecting <embed src=”/usr/share/nginx/invoiceninja/.env”> into the field rendered the “.env” file contents, exposing database and service credentials.
Low-privileged users can exploit this vulnerability by injecting malicious payloads into editable profile fields. The payload triggers during PDF generation for a quote, allowing attackers to extract sensitive files even with limited access rights.
This vulnerability presents a severe security risk, especially for systems where the .env file contains hardcoded credentials. “An attacker knowing the full path of the application can use payloads to read the content of critical files, which can contain cleartext credentials and other sensitive data,” Shala warns.
To mitigate the risks of CVE-2024-53353, Pretera recommends apply security updates from the Invoice Ninja development team.
