Cross site Scripting By injecting iframe in inventree/inventree

Valid

Reported on

Jun 15th 2022


Description

Cross site scripting using iframe

Proof of Concept

1.Goto https://demo.inventree.org/company/manufacturers/ 2.Create new Manufracturer 3.In Add notes Section add this payload <iframe src="https://brutelogic.com.br/poc.svg"></iframe> and save 4.Visit this address https://demo.inventree.org/company/ID

POC :- Visit this url https://demo.inventree.org/company/39/

Impact

Cross site scripting

We are processing your report and will contact the inventree team within 24 hours. 10 days ago
Matthias Mair gave praise 10 days ago
The fix is in master now and is slated to be released with another frontend fix today
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Matthias Mair modified the Severity from Critical (9.8) to Medium (6.5) 10 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matthias Mair validated this vulnerability 10 days ago

I can reproduce this report on the latest release. We will start work on a fix now. Thank you @gaurav-g2 we will release the bounty now and attribute you in the advisory.

Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matthias Mair
10 days ago

A fix is written up now - once the CI is run through we should be able to release a patch in a few hours.

Distorted_Hacker
10 days ago

Researcher


Hi @matmair thanks for validating this report but since you have lower the severity to medium bounty amount went to zero because huntr only pay for high and critical severity issue. I found that some issues with same vulnerability consider as high and critical can you please try to reconsider severity of this report

Thanks

Matthias Mair
10 days ago

@gaurav-g2 this is the score it gets if I fill out the questionnaire for the severity. I think the main contributing factor for the high score was that you selected that no rights were needed for executing it but actually you need to be authenticated and also that it impacts the availability - which it does not as the note field is never processed in any form other than as a string. I am not shure if you can see all the selected fields and how the score calculates but that is what I changed.

Matthias Mair confirmed that a fix has been merged on e83995 10 days ago
Matthias Mair has been awarded the fix bounty
Matthias Mair gave praise 10 days ago
The fix is in master now and is slated to be released with another frontend fix today
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation