What the vulnerability does
01Description
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
Explanation of Vulnerability in Simple Terms
Easy Invoice versions up to 2.1.19 contain a code injection vulnerability that allows unauthenticated attackers to run arbitrary PHP code on the server without user interaction. The vulnerability affects the entire system due to scope change. An attacker can gain complete control over the site, including reading sensitive data, modifying content, and disrupting service.
What an attacker can do
Run arbitrary PHP code on the server and take complete control of the site.
Potential impact on your site
Complete compromise of the site, data, and server. Immediate patching required.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities