{"id":"CVE-2017-1000238","details":"InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. It is possible for an attacker to upload a script which is able to compromise the webserver.","modified":"2026-04-10T03:54:37.185805Z","published":"2017-11-17T03:29:00.407Z","references":[{"type":"REPORT","url":"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170523-0_InvoicePlane_Upload_arbitrary_files_stored_XSS_v10.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/invoiceplane/invoiceplane","events":[{"introduced":"0"},{"last_affected":"8051e44a2de154cb32a1ad5879d0ddaf4a5fdf81"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.10"}]}}],"versions":["0.9beta","v1.0.0","v1.0.1","v1.1.0","v1.2.0","v1.4.0","v1.4.1","v1.4.10","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000238.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}