Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04NXE5LTc0NjctcjUzcc4AArtb

XSS Vulnerability in Markdown Editor

Impact

InvenTree uses EasyMDE for displaying markdown text in various places (e.g. for the various "notes" fields associated with various models).

By default, EasyMDE does not sanitize input data, and it is possible for malicious code to be injected into the markdown editor, and executed in the users browser.

Note: This malicious data must be first uploaded to the database by an authorized user, so the risk here is limited to trusted users

Solution

The solution here is two-fold:

Patches

Workarounds

There is no workaround for this issue without upgrading InvenTree to the specified version.

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-85q9-7467-r53q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NXE5LTc0NjctcjUzcc4AArtb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago


Identifiers: GHSA-85q9-7467-r53q
References: Repository: https://github.com/inventree/InvenTree
Blast Radius: 0.0

Affected Packages

pypi:inventree
Dependent packages: 1
Dependent repositories: 5
Downloads: 677 last month
Affected Version Ranges: < 0.7.3
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.4, 0.3.1, 0.3.2, 0.4.4, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2