📄 Description (English)
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
🤖 AI Executive Summary
InvoiceShelf versions prior to 2.2.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the payment receipt PDF generation module that allows attackers to make arbitrary HTTP requests from the server by injecting malicious HTML in the payment Notes field. This vulnerability is directly exploitable via the PDF receipt endpoint and could enable attackers to access internal resources, perform reconnaissance, or exfiltrate sensitive data. The high CVSS score of 7.6 and confirmed exploit availability make this a significant threat requiring immediate patching.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 01:01
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using InvoiceShelf for financial operations face significant risk, particularly in the banking sector (SAMA-regulated institutions), accounting firms, and government procurement entities. The vulnerability could allow attackers to: (1) Access internal network resources and SAMA-connected systems, (2) Exfiltrate sensitive financial data and invoice information, (3) Perform reconnaissance on internal infrastructure. Small and medium enterprises (SMEs) in Saudi Arabia that rely on InvoiceShelf for invoicing are particularly vulnerable due to limited security resources. The vulnerability directly impacts compliance with SAMA CSF requirements for secure data handling and NCA ECC controls for access management.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Accounting and Audit Firms
Healthcare
Retail and E-commerce
Telecommunications
Energy and Utilities
Small and Medium Enterprises (SMEs)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all InvoiceShelf instances in your environment and verify their version numbers
2. Disable or restrict access to the PDF receipt generation endpoint until patching is complete
3. Implement network-level controls to prevent outbound HTTP/HTTPS requests from the InvoiceShelf application server
4. Review audit logs for suspicious PDF generation requests with unusual HTML content in Notes fields
PATCHING GUIDANCE:
1. Upgrade InvoiceShelf to version 2.2.0 or later immediately
2. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to block requests containing HTML/XML markup in the Notes field
3. Restrict the application's outbound network access using firewall rules to only necessary destinations
COMPENSATING CONTROLS:
1. Implement input validation to sanitize HTML content in payment Notes fields before PDF generation
2. Configure the Dompdf library with disabled remote resource loading (disable_remote_files = true)
3. Use network segmentation to isolate InvoiceShelf servers from sensitive internal resources
4. Implement egress filtering to prevent the application from making unexpected outbound connections
DETECTION RULES:
1. Monitor for PDF generation requests with HTML/XML tags in Notes field parameters
2. Alert on unexpected outbound HTTP/HTTPS connections from InvoiceShelf application servers
3. Log and review all PDF receipt generation activities, particularly those with large or suspicious payloads
4. Implement IDS/IPS signatures to detect SSRF attack patterns targeting internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ InvoiceShelf في بيئتك وتحقق من أرقام إصداراتها
2. عطّل أو قيّد الوصول إلى نقطة نهاية إنشاء إيصال PDF حتى يتم إكمال التصحيح
3. طبّق عناصر تحكم على مستوى الشبكة لمنع طلبات HTTP/HTTPS الصادرة من خادم تطبيق InvoiceShelf
4. راجع سجلات التدقيق للبحث عن طلبات إنشاء PDF المريبة التي تحتوي على محتوى HTML غير عادي في حقول الملاحظات
إرشادات التصحيح:
1. قم بترقية InvoiceShelf إلى الإصدار 2.2.0 أو أحدث على الفور
2. إذا لم يكن التصحيح الفوري ممكناً، طبّق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على علامات HTML/XML في حقل الملاحظات
3. قيّد الوصول إلى الشبكة الخارجية للتطبيق باستخدام قواعد جدار الحماية إلى الوجهات الضرورية فقط
عناصر التحكم البديلة:
1. طبّق التحقق من صحة المدخلات لتنظيف محتوى HTML في حقول ملاحظات الدفع قبل إنشاء PDF
2. قم بتكوين مكتبة Dompdf مع تعطيل تحميل الموارد البعيدة (disable_remote_files = true)
3. استخدم تقسيم الشبكة لعزل خوادم InvoiceShelf عن الموارد الداخلية الحساسة
4. طبّق تصفية الخروج لمنع التطبيق من إجراء اتصالات صادرة غير متوقعة
قواعد الكشف:
1. راقب طلبات إنشاء PDF التي تحتوي على علامات HTML/XML في معاملات حقل الملاحظات
2. أصدر تنبيهات عند اتصالات HTTP/HTTPS صادرة غير متوقعة من خوادم تطبيق InvoiceShelf
3. سجّل وراجع جميع أنشطة إنشاء إيصالات PDF، خاصة تلك التي تحتوي على حمولات كبيرة أو مريبة
4. طبّق توقيعات IDS/IPS للكشف عن أنماط هجمات SSRF التي تستهدف نطاقات IP الداخلية (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - Input Validation and Output Encoding
5.3.1 - Secure Development Practices
6.1.1 - Vulnerability Management
6.2.1 - Patch Management
🔵 SAMA CSF
ID.BE-1 - Business Objectives and Strategies
PR.AC-1 - Access Control
PR.DS-1 - Data Security
DE.CM-1 - Detection and Analysis
RS.MI-1 - Incident Response and Management
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
6.2 - Ensure all system components and software are protected from known vulnerabilities
6.5.1 - Injection flaws
11.2 - Run automated vulnerability scanning tools
📦 Affected Products / CPE 1 entries
invoiceshelf:invoiceshelf