Inventree
Monthly
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.