Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 0.8.0 InvenTree versions 0.7.x prior to 0.7.2

Description The issue allows malicious JavaScript code to be injected into a user's browser by other authenticated users. This is due to insufficient database sanitation and lack of HTML escaping when rendering data. The attack vector is limited to authenticated users who can write data to the database. The estimated number of potentially affected devices is not specified.

Recommendations For InvenTree versions prior to 0.8.0, upgrade to version 0.8.0 or later. For InvenTree versions 0.7.x, upgrade to version 0.7.2 or later. As a temporary workaround, consider restricting access to sensitive data until a patched version is available. Avoid using the vulnerable front-end views until the issue is resolved.