{"url":"http://public2.vulnerablecode.io/api/packages/149381?format=json","purl":"pkg:pypi/inventree@0.7.3","type":"pypi","namespace":"","name":"inventree","version":"0.7.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.17.0","latest_non_vulnerable_version":"0.17.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109015?format=json","vulnerability_id":"VCID-he7c-32nx-jkfn","summary":"Inventree vulnerable to Stored Cross-site Scripting\nInventree prior to 0.8.3 is vulnerable to stored cross-site scripting by uploading SVG files. Version 0.8.3 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-3355","reference_id":"","reference_type":"","scores":[{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.56921","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.56889","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.5694","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.56948","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.56936","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-3355"},{"reference_url":"https://github.com/inventree/inventree","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/inventree"},{"reference_url":"https://github.com/inventree/inventree/commit/5a08ef908dd5344b4433436a4679d122f7f99e41","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-20T19:35:04Z/"}],"url":"https://github.com/inventree/inventree/commit/5a08ef908dd5344b4433436a4679d122f7f99e41"},{"reference_url":"https://github.com/inventree/InvenTree/releases/tag/0.8.3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/InvenTree/releases/tag/0.8.3"},{"reference_url":"https://huntr.dev/bounties/4b7fb92c-f06b-4bbf-82dc-9f013b30b6a6","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-20T19:35:04Z/"}],"url":"https://huntr.dev/bounties/4b7fb92c-f06b-4bbf-82dc-9f013b30b6a6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3355","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3355"},{"reference_url":"https://github.com/advisories/GHSA-62g7-fpv9-v95f","reference_id":"GHSA-62g7-fpv9-v95f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62g7-fpv9-v95f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145489?format=json","purl":"pkg:pypi/inventree@0.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-uv8d-zeym-rkcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/inventree@0.8.3"}],"aliases":["CVE-2022-3355","GHSA-62g7-fpv9-v95f"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-he7c-32nx-jkfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55920?format=json","vulnerability_id":"VCID-uv8d-zeym-rkcb","summary":"Inventree Server-Side Request Forgery vulnerability exposes server port/internal IP\nThe \"download image from remote URL\" feature can be abused by a malicious actor to potentially extract information about server side resources. Submitting a crafted URL (in place of a valid image) can raise a server side error, which is reported back to the user.\n\nThis error message may contain sensitive information about the server side request, including information about the availability of the remote resource.","references":[{"reference_url":"https://github.com/inventree/InvenTree","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/InvenTree"},{"reference_url":"https://github.com/inventree/InvenTree/commit/5759b60a48e7e178fb417a900ed543f29dc5dc86","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/InvenTree/commit/5759b60a48e7e178fb417a900ed543f29dc5dc86"},{"reference_url":"https://github.com/advisories/GHSA-vx3h-qwqw-r2wq","reference_id":"GHSA-vx3h-qwqw-r2wq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx3h-qwqw-r2wq"},{"reference_url":"https://github.com/inventree/InvenTree/security/advisories/GHSA-vx3h-qwqw-r2wq","reference_id":"GHSA-vx3h-qwqw-r2wq","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/InvenTree/security/advisories/GHSA-vx3h-qwqw-r2wq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82818?format=json","purl":"pkg:pypi/inventree@0.16.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/inventree@0.16.5"},{"url":"http://public2.vulnerablecode.io/api/packages/771110?format=json","purl":"pkg:pypi/inventree@0.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/inventree@0.17.0"}],"aliases":["GHSA-vx3h-qwqw-r2wq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uv8d-zeym-rkcb"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110687?format=json","vulnerability_id":"VCID-zx9b-wp9x-nkbz","summary":"XSS Vulnerability in Markdown Editor\n### Impact\n\nInvenTree uses [EasyMDE](https://github.com/Ionaru/easy-markdown-editor) for displaying markdown text in various places (e.g. for the various \"notes\" fields associated with various models).\n\nBy default, EasyMDE does not sanitize input data, and it is possible for malicious code to be injected into the markdown editor, and executed in the users browser.\n\n*Note: This malicious data must be first uploaded to the database by an authorized user, so the risk here is limited to trusted users*\n\n### Solution\n\nThe solution here is two-fold:\n\n- Enable data sanitization for the EasyMDE renderer - [#3205](https://github.com/inventree/InvenTree/pull/3205)\n- Enforce cleaning of all data uploaded to the database via the API - [#3204](https://github.com/inventree/InvenTree/pull/3204) *(This will be ready for the 0.8.0 release)*\n\n### Patches\n\n- The issue is addressed in the 0.8.0 release\n- This fix was back-ported to the 0.7.x branch, applied to the 0.7.3 release\n\n### Workarounds\n\nThere is no workaround for this issue without upgrading InvenTree to the specified version.\n\n### References\n\n- https://huntr.dev/bounties/ab296cf5-7a3e-4f49-8f63-5b35fc707f03/\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [github](http://github.com/inventree/inventree)\n* Email us at [security@inventree.org](mailto:security@inventree.org)","references":[{"reference_url":"https://github.com/inventree/InvenTree/security/advisories/GHSA-85q9-7467-r53q","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inventree/InvenTree/security/advisories/GHSA-85q9-7467-r53q"},{"reference_url":"https://github.com/advisories/GHSA-85q9-7467-r53q","reference_id":"GHSA-85q9-7467-r53q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-85q9-7467-r53q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149381?format=json","purl":"pkg:pypi/inventree@0.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-he7c-32nx-jkfn"},{"vulnerability":"VCID-uv8d-zeym-rkcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/inventree@0.7.3"}],"aliases":["GHSA-85q9-7467-r53q","GMS-2022-2437"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zx9b-wp9x-nkbz"}],"risk_score":"3.7","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/inventree@0.7.3"}