InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Se…

InvoiceShelf, an open-source invoicing application, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 2.2.0. The vulnerability exists in the Invoice PDF generation module where user-supplied HTML in the invoice Notes field is passed unsanitized to the Dompdf rendering library. This allows attackers to make the server fetch remote resources referenced in malicious markup. The vulnerability can be exploited through PDF preview and email delivery endpoints. The issue has been patched in version 2.2.0.