Cross site Scripting By injecting iframe in inventree/inventree

Valid

Reported on

Jun 15th 2022

Description

Cross site scripting using iframe

Proof of Concept

1.Goto https://demo.inventree.org/company/manufacturers/ 2.Create new Manufracturer 3.In Add notes Section add this payload <iframe src="https://brutelogic.com.br/poc.svg"></iframe> and save 4.Visit this address https://demo.inventree.org/company/ID

POC :- Visit this url https://demo.inventree.org/company/39/

Impact

Cross site scripting

We are processing your report and will contact the inventree team within 24 hours. a year ago
Matthias Mair gave praise a year ago
The fix is in master now and is slated to be released with another frontend fix today
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Matthias Mair modified the Severity from Critical (9.8) to Medium (6.5) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matthias Mair validated this vulnerability a year ago

I can reproduce this report on the latest release. We will start work on a fix now. Thank you @gaurav-g2 we will release the bounty now and attribute you in the advisory.

Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matthias Mair
a year ago

Maintainer

A fix is written up now - once the CI is run through we should be able to release a patch in a few hours.

Distorted_Hacker
a year ago

Researcher

Hi @matmair thanks for validating this report but since you have lower the severity to medium bounty amount went to zero because huntr only pay for high and critical severity issue. I found that some issues with same vulnerability consider as high and critical can you please try to reconsider severity of this report

Thanks

Matthias Mair
a year ago

Maintainer

@gaurav-g2 this is the score it gets if I fill out the questionnaire for the severity. I think the main contributing factor for the high score was that you selected that no rights were needed for executing it but actually you need to be authenticated and also that it impacts the availability - which it does not as the note field is never processed in any form other than as a string. I am not shure if you can see all the selected fields and how the score calculates but that is what I changed.

Matthias Mair marked this as fixed in 0.7.3 with commit e83995 a year ago
Matthias Mair has been awarded the fix bounty
This vulnerability will not receive a CVE
Matthias Mair gave praise a year ago
The fix is in master now and is slated to be released with another frontend fix today
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation