Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 0.8.0 InvenTree versions 0.7.x prior to 0.7.3

Description The issue concerns the EasyMDE markdown editor used in InvenTree, which does not sanitize input data by default. This allows malicious code to be injected into the markdown editor and executed in the user's browser. The risk is limited to trusted users who can upload malicious data to the database.

Recommendations For InvenTree versions prior to 0.8.0, update to version 0.8.0 or later to enable data sanitization for the EasyMDE renderer and enforce cleaning of all data uploaded to the database via the API. For InvenTree versions 0.7.x, update to version 0.7.3 or later to apply the back-ported fix. As a temporary workaround, consider restricting access to the markdown editor until the issue is resolved by updating to the specified version.