Stored XSS in Part Parameter in inventree/inventree
Jun 11th 2022
inventree is vulnerable to Stored XSS in part parameter field.
Proof of Concept
Video PoC link: https://drive.google.com/file/d/19MiGIB3Q1Vzdm_MB_ttCKiEtFKR34z-2/view?usp=sharing
This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matthias Mair validated this vulnerability a year ago
This is a valid vulnerability - it will be fixed within 28 days by the maintainers.
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation