CVE-2022-2111 – inventree

Package

Manager: pip
Name: inventree
Vulnerable Version: >=0 <0.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00459 pctl0.63144

Details

Unrestricted Attachment Upload ### Impact InvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.  *Note that the upload of malicious files must be performed by an authenticated user account* ### Solution The solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context. ### Patches - The issue is addressed in the upcoming 0.8.0 release - This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release ### Workarounds Users can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as"  This minimizes risk (e.g. of XSS attacks) by opening the HTML file from the users computer ### References https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1/ ### For more information If you have any questions or comments about this advisory: * Open an issue in [github](http://github.com/inventree/inventree) * Email us at [security@inventree.org](mailto:security@inventree.org)

Metadata

Created: 2022-06-17T01:16:55Z
Modified: 2022-06-29T21:47:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-fr2w-mp56-g4xp/GHSA-fr2w-mp56-g4xp.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-fr2w-mp56-g4xp
Finding: F027
Auto approve: 1