InvenTree Vulnerable to ORM Filter Injection

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

通过数据查询的敏感数据暴露

InvenTree 安全漏洞

InvenTree是InvenTree开源的一个开源库存管理系统。提供强大的低级库存控制和零件跟踪。 InvenTree 1.2.6之前版本存在安全漏洞，该漏洞源于批量操作API端点将过滤器参数直接传递给Django ORM，可能导致敏感信息泄露。

N/A

N/A