CVE-2021-3977: invoiceninja is vulnerable to Cross-site Scripting
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.48093%
CWE
Published
1/6/2022
Updated
2/3/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
hillelcoren/invoice-ninja | composer | < 5.3.35 | 5.3.35 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of 'company_key' in the password reset flow. The original code used session-stored 'company_key' to set the database context, which could be manipulated via session poisoning or other means. If this value was later reflected in web output without sanitization (e.g., in error messages or hidden form fields), it created an XSS vector. The patch in commit 1186eaa modified the code to use request input directly while removing session dependency, indicating the original implementation lacked proper input validation and output encoding for this parameter.