GHSA-85q9-7467-r53q – inventree

Package

Manager: pip
Name: inventree
Vulnerable Version: >=0 <0.7.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

XSS Vulnerability in Markdown Editor ### Impact InvenTree uses [EasyMDE](https://github.com/Ionaru/easy-markdown-editor) for displaying markdown text in various places (e.g. for the various "notes" fields associated with various models). By default, EasyMDE does not sanitize input data, and it is possible for malicious code to be injected into the markdown editor, and executed in the users browser. *Note: This malicious data must be first uploaded to the database by an authorized user, so the risk here is limited to trusted users* ### Solution The solution here is two-fold: - Enable data sanitization for the EasyMDE renderer - [#3205](https://github.com/inventree/InvenTree/pull/3205) - Enforce cleaning of all data uploaded to the database via the API - [#3204](https://github.com/inventree/InvenTree/pull/3204) *(This will be ready for the 0.8.0 release)* ### Patches - The issue is addressed in the upcoming 0.8.0 release - This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.3 release ### Workarounds There is no workaround for this issue without upgrading InvenTree to the specified version. ### References - https://huntr.dev/bounties/ab296cf5-7a3e-4f49-8f63-5b35fc707f03/ ### For more information If you have any questions or comments about this advisory: * Open an issue in [github](http://github.com/inventree/inventree) * Email us at [security@inventree.org](mailto:security@inventree.org)

Metadata

Created: 2022-06-17T21:51:45Z
Modified: 2022-06-17T21:51:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-85q9-7467-r53q/GHSA-85q9-7467-r53q.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1