Schrodingersgat

**Name of the Vulnerable Software and Affected Versions** InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0 **Description** InvenTree is an Open Source Inventory Management System. Certain API endpoints associated with bulk data operations can be exploited to exfiltrate sensitive information from the database. The bulk operation API endpoints, including `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others, accept a `filters` parameter. This parameter is passed directly to Django's ORM `queryset.filter(**filters)` without any field allowlisting. This allows authenticated users to traverse model relationships using Django's ` ` lookup syntax and perform blind boolean-based data extraction. The `filters` parameter is the key component in this issue. **Recommendations** Update InvenTree to version 1.2.6 or later. Update InvenTree to version 1.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** InvenTree versions prior to 0.17.13 **Description** The issue affects the built-in `label-sheet` plugin, where the `skip` field lacks an upper bound. This allows any authenticated label-printing user to trigger a denial-of-service via memory exhaustion by providing a large value, forcing the server to allocate an enormous Python list. **Recommendations** For versions prior to 0.17.13, upgrade to version 0.17.13 or higher to resolve the issue. At the moment, there is no workaround available aside from upgrading to the patched version.