CVE-2024-47610

MEDIUM EPSS 21.0%
Published Oct 7, 20241y ago · Modified Jun 17, 20261w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Oct 7, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addressed as follows: 1. HTML sanitization has been enabled in the front-end markdown rendering library - `easymde`. 2. Stored markdown is also validated on the backend, to ensure that malicious markdown is not stored in the database. These changes are available in release versions 0.16.5 and later. All users are advised to upgrade. There are no workarounds, an update is required to get the new validation functions.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
21.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
inventree_projectinventree* <0.16.5

References 2

  • github.com https://github.com/inventree/InvenTree/commit/6e37f0cd8ba5fc527412f18f66cd6a37015fa690
    Patch
  • github.com https://github.com/inventree/InvenTree/security/advisories/GHSA-wp3m-jhgv-rhqr
    Vendor Advisory

Remediation

  • github.com https://github.com/inventree/InvenTree/commit/6e37f0cd8ba5fc527412f18f66cd6a37015fa690
    Patch