Stored Cross-Site Scripting (XSS) in via direct link to attachments in inventree/inventree
Sep 26th 2022
The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link.
Proof of Concept
Steps to reproduce:
1. Log in to Inventree 2. Click on Parts. Add a new Category and create a Part 3. Click on Attachments and upload the PoC file xss.html (Screenshot 1) 4. Right Click on the Attachment & Select `Copy link address`. The link should have the format `/media/part_files/<part_id>/xss.html` 5. Paste the link in a new tab and observe that the XSS is triggered (Screenshot 2)
Proof of Concept Payload:
<html> <script>alert(document.location)</script> </html>