CVE-2022-2111

Name of the Vulnerable Software and Affected Versions inventree/inventree versions prior to 0.7.2

Description The issue concerns an unrestricted upload of files with dangerous types in the GitHub repository inventree/inventree. This allows potentially dangerous files, such as HTML files containing malicious JavaScript, to be uploaded and run malicious code directly in the user's browser when opened. The upload of malicious files must be performed by an authenticated user account.

Recommendations For versions prior to 0.7.2, ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context. As a temporary workaround, users can alleviate the risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as", which minimizes the risk of XSS attacks by opening the HTML file from the user's computer. The issue is addressed in the upcoming 0.8.0 release and will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release.