关键漏洞信息 CVEs: - CVE-2025-67082 - CVE-2025-67083 - CVE-2025-67084 Product: InvoicePlane Severity: High Affected Version(s): ≤ 1.6.3 Fixed Version(s): 1.6.4 Issue: Multiple security vulnerabilities were identified in InvoicePlane that affect the version "1.6.3". These issues include unauthenticated file read, authenticated SQL injection, and authenticated arbitrary PHP file upload, which may lead to remote code execution (RCE). Timeline: Technical Details: - Unauthenticated File Read / CVE-2025-67083: An unauthenticated attacker can read files from the server through a directory traversal vulnerability. - Authenticated SQL Injection / CVE-2025-67082: An authenticated user can inject arbitrary SQL commands. - Authenticated Arbitrary PHP File Upload / CVE-2025-67084: An authenticated user can upload arbitrary PHP files.