📄 Description (English)
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
🤖 AI Executive Summary
InvoiceShelf versions prior to 2.2.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the Estimate PDF generation module that allows attackers to make arbitrary HTTP requests from the server by injecting malicious HTML into the estimate Notes field. The vulnerability is directly exploitable through PDF preview and customer view endpoints without authentication requirements. With a CVSS score of 7.6 and publicly available exploits, this poses an immediate threat to organizations using InvoiceShelf for financial document management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 01:01
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in the financial services, accounting, and SME sectors using InvoiceShelf are at significant risk. This vulnerability directly impacts: (1) Banking sector and financial institutions using InvoiceShelf for invoice management and customer billing; (2) Government agencies and municipalities managing procurement and vendor payments; (3) Healthcare providers processing patient billing and insurance claims; (4) Energy sector contractors managing project invoicing; (5) Telecom and retail SMEs using the platform for customer billing. The SSRF vulnerability enables attackers to access internal network resources, scan internal infrastructure, exfiltrate sensitive financial data, and potentially pivot to connected systems on the organization's network.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Retail and E-commerce
Accounting and Audit Firms
Small and Medium Enterprises (SMEs)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all InvoiceShelf instances in your environment and document their versions
2. Disable or restrict access to PDF preview and customer view endpoints until patching is complete
3. Implement network segmentation to limit the server's ability to make outbound requests
4. Monitor for suspicious outbound HTTP/HTTPS connections from InvoiceShelf servers
PATCHING GUIDANCE:
1. Upgrade InvoiceShelf to version 2.2.0 or later immediately
2. Test the upgrade in a non-production environment first
3. Verify that all estimate PDF generation functions work correctly post-upgrade
4. Clear any cached PDF files generated before the patch
COMPENSATING CONTROLS (if immediate patching is not possible):
1. Implement Web Application Firewall (WAF) rules to block requests containing HTML/XML markup in the Notes field
2. Use egress filtering to restrict outbound connections from the InvoiceShelf server to only necessary external services
3. Implement rate limiting on PDF generation endpoints
4. Require authentication for all PDF preview and customer view endpoints
5. Disable HTML rendering in the Notes field if the application supports plain text mode
DETECTION RULES:
1. Monitor for POST requests to estimate creation/update endpoints with HTML/XML content in Notes field
2. Alert on outbound HTTP requests from InvoiceShelf server to non-whitelisted external IPs
3. Log and review all PDF generation requests, particularly those with unusual parameters
4. Monitor for requests containing file:// or gopher:// protocol schemes in estimate data
5. Track failed DNS resolution attempts from the InvoiceShelf server
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ InvoiceShelf في بيئتك وقم بتوثيق إصداراتها
2. عطّل أو قيّد الوصول إلى نقاط نهاية معاينة PDF وعرض العميل حتى يتم إكمال التصحيح
3. طبّق تقسيم الشبكة لتحديد قدرة الخادم على إجراء طلبات خارجية
4. راقب الاتصالات HTTP/HTTPS الخارجية المريبة من خوادم InvoiceShelf
إرشادات التصحيح:
1. قم بترقية InvoiceShelf إلى الإصدار 2.2.0 أو أحدث على الفور
2. اختبر الترقية في بيئة غير إنتاجية أولاً
3. تحقق من أن جميع وظائف إنشاء PDF للتقديرات تعمل بشكل صحيح بعد التصحيح
4. امسح أي ملفات PDF مخزنة مؤقتاً تم إنشاؤها قبل التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. طبّق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على علامات HTML/XML في حقل الملاحظات
2. استخدم تصفية الخروج لتقييد الاتصالات الخارجية من خادم InvoiceShelf إلى الخدمات الخارجية الضرورية فقط
3. طبّق تحديد معدل على نقاط نهاية إنشاء PDF
4. اطلب المصادقة لجميع نقاط نهاية معاينة PDF وعرض العميل
5. عطّل عرض HTML في حقل الملاحظات إذا كان التطبيق يدعم وضع النص العادي
قواعد الكشف:
1. راقب طلبات POST إلى نقاط نهاية إنشاء/تحديث التقديرات التي تحتوي على محتوى HTML/XML في حقل الملاحظات
2. أصدر تنبيهات للطلبات HTTP الخارجية من خادم InvoiceShelf إلى عناوين IP خارجية غير مدرجة في القائمة البيضاء
3. سجّل واستعرض جميع طلبات إنشاء PDF، خاصة تلك التي تحتوي على معاملات غير عادية
4. راقب الطلبات التي تحتوي على مخططات بروتوكول file:// أو gopher:// في بيانات التقدير
5. تتبع محاولات حل DNS الفاشلة من خادم InvoiceShelf
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Information Security Policies and Procedures
5.2.1 - Access Control Implementation
5.3.1 - Cryptography and Data Protection
5.4.1 - Logging and Monitoring
5.5.1 - Incident Management
5.6.1 - Vulnerability Management and Patch Management
🔵 SAMA CSF
Governance - Risk Management Framework
Governance - Third-party Risk Management
Protection - Access Control
Protection - Data Protection
Detection - Security Monitoring
Response - Incident Response
🟡 ISO 27001:2022
A.5.1 - Policies for information security
A.6.1 - Organization of information security
A.8.1 - Asset management
A.12.2 - Restrictions on software installation
A.12.6 - Management of technical vulnerabilities
A.14.2 - Security requirements analysis and specification
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 11 - Regularly test security systems and processes
🔗 References & Sources 3
🔗
https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0
security-advisories@github.com
Product
🔗
https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
invoiceshelf:invoiceshelf