software: invoice plane version: 1.4.6 URL: https://invoiceplane.com/ Researcher: Ross Marks URL: http://www.rossmarks.co.uk 1) username enumeration wrong username: There is no account registered with this Email address. wrong password: Email or Password incorrect. 2) directory listing enabled by default /invoice_plane/uploads/ /invoice_plane/assets/ 3) Persistant & Reflected XSS everywhere there is NO xss protection implemented 4) Object Injection via session cookie example, set result of following as cookie: