Stored XSS in Supplier Company Name in inventree/inventree
Jun 13th 2022
inventree is vulnerable to Stored XSS in supplier company name field.
Proof of Concept
Video PoC Link: https://drive.google.com/file/d/1KDrwbWkftO-cNrd-4XSoNh_27Z3vqiMR/view?usp=sharing
This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.
Oliver gave praise a year ago
Thanks @saharshtapi for reporting these issues
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Oliver validated this vulnerability a year ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
commented a year ago
@admin Can you assign CVE?
to join this conversation