It appears that we can create an invoice:
We can then view this Invoice in the original invoice list, and export as a PDF.
The request to submit the markdown content for the invoice posts as JSON (below):
The source code shows an application written in nodejs, with a few routes.
It can also be observed that MDHelper.js is being uses to convert markdown to a pdf.
Looking at package.json shows the dependencies of the application, which in this case include md-to-pdf 4.1.0 Searching for md to pdf 4.1.0 exploit reveals an RCE in any version of md-to-pdf < 5.0.0.
LINK: https://snyk.io/vuln/npm%3Amd-to-pdf
The SNYK link shows that if a certain payload is passed into the content field of the mdToPdf function, then code is executed:
---js
((require("child_process")).execSync("id > /tmp/RCE.txt"))
---RCE