Stored XSS in Supplier Company Description in inventree/inventree
Jun 13th 2022
inventree is vulnerable to Stored XSS in supplier company description field.
Proof of Concept
Video PoC Link: https://drive.google.com/file/d/115LLo4rxW7RzWd7hevbSFAlf-V83OUhU/view?usp=sharing
This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.