Stored Cross-Site Scripting (XSS) in via direct link to attachments in inventree/inventree


Reported on

Sep 26th 2022


The XSS is related to this previous report. The fix to prevent XSS in uploaded attachments is insufficient, as there is no mitigation when accessing attachments via a direct link.

Proof of Concept

Steps to reproduce:

1. Log in to Inventree
2. Click on Parts. Add a new Category and create a Part
3. Click on Attachments and upload the PoC file xss.html (Screenshot 1)
4. Right Click on the Attachment & Select `Copy link address`. The link should have the format `/media/part_files/<part_id>/xss.html`
5. Paste the link in a new tab and observe that the XSS is triggered (Screenshot 2)

Proof of Concept Payload:


Screenshot 1

Screenshot 1

Screenshot 2

Screenshot 2


The impact is JavaScript Code Execution. In order to carry out a succesful attack, the attacker needs a low privilege user that is allowed to create or edit Parts to upload the malicious attachment. The attacker then sends the direct link to the malicious attachment to an administrator. If the administrator visits the link while logged in to Inventree, the impact is essentially full account takeover.

We are processing your report and will contact the inventree team within 24 hours. 2 months ago
We have contacted a member of the inventree team and are waiting to hear back 2 months ago
inventree/inventree maintainer has acknowledged this report 2 months ago
2 months ago

The suggested solution here is outside of the scope of the inventree software itself. Instead, the installation / setup must ensure that media files are served with the "Content-Disposition: attachment" header.

We are updating our installation guidelines and default nginx configuration files as appropriate:

Oliver validated this vulnerability 2 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver marked this as fixed in 0.9.0 with commit a3c933 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
2 months ago


Great! Should we go for a CVE @maintainer?

to join this conversation