Advisories for Pypi/Inventree package

2024

Inventree Server-Side Request Forgery vulnerability exposes server port/internal IP

The "download image from remote URL" feature can be abused by a malicious actor to potentially extract information about server side resources. Submitting a crafted URL (in place of a valid image) can raise a server side error, which is reported back to the user. This error message may contain sensitive information about the server side request, including information about the availability of the remote resource.

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.

Improper Neutralization of Formula Elements in a CSV File

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.

Insufficient HTML Sanitization

Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in inventree.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in inventree.

Formula Injection in Exported Data

Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection.