Stored XSS in Customer Company Name in inventree/inventree
Jun 13th 2022
inventree is vulnerable to Stored XSS in customer company name field.
Proof of Concept
Video PoC Link: https://drive.google.com/file/d/11tKQzqKFobDEuqigsQYIdQhMnqSLIBsi/view?usp=sharing
This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.
Oliver validated this vulnerability a year ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
commented a year ago
@admin Can you assign CVE?
to join this conversation