Stored XSS in Supplier Company Name in inventree/inventree

Valid

Reported on

Jun 13th 2022


Description

The application inventree is vulnerable to Stored XSS in supplier company name field.

Proof of Concept

Video PoC Link: https://drive.google.com/file/d/1KDrwbWkftO-cNrd-4XSoNh_27Z3vqiMR/view?usp=sharing

Impact

This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the inventree team within 24 hours. 13 days ago
We have contacted a member of the inventree team and are waiting to hear back 12 days ago
Oliver gave praise 10 days ago
Thanks @saharshtapi for reporting these issues
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Oliver validated this vulnerability 10 days ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver confirmed that a fix has been merged on 26bf51 10 days ago
Oliver has been awarded the fix bounty
saharshtapi
10 days ago

Researcher


@admin Can you assign CVE?

to join this conversation