Impact
A weakness exists in crater‑invoice‑inc crater up to version 6.0.6. The vulnerability resides in the getFormattedString function of app/Http/Requests/InvoicesRequest.php within the Invoice Note Handler component. By manipulating the notes argument, an attacker can inject malicious scripts, leading to a cross‑site scripting (XSS) condition. The attack vector is remote, as the exploit can be triggered over HTTP by supplying crafted input.
Affected Systems
The affected product is crater‑invoice‑inc crater. Versions through 6.0.6 are vulnerable; later releases are presumed to have the fix applied, but only the CVE specifies that the issue is present up to 6.0.6. No other vendors or products are listed.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate risk. The EPSS score of 0.00203 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, yet an exploit is publicly available. Because the flaw allows arbitrary client‑side script execution, it can be used to deface pages, harvest session cookies, or execute phishing attacks. Even though the impact is limited to the victim’s browser, the convenience of remote exploitation increases its real‑world threat.
OpenCVE Enrichment