Stored Cross-site Scripting Vulnerability in Markdown Editor

InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addressed as follows: 1. HTML sanitization has been enabled in the front-end markdown rendering library - `easymde`. 2. Stored markdown is also validated on the backend, to ensure that malicious markdown is not stored in the database. These changes are available in release versions 0.16.5 and later. All users are advised to upgrade. There are no workarounds, an update is required to get the new validation functions.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

InvenTree 跨站脚本漏洞

InvenTree是InvenTree开源的一个开源库存管理系统。提供强大的低级库存控制和零件跟踪。 InvenTree 0.16.5之前版本存在跨站脚本漏洞，该漏洞源于允许注册用户在Markdown笔记字段中存储JavaScript代码，然后将其显示给访问同一页面并执行的其他登录用户。

N/A

N/A