CVE-2024-47610

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 0.16.5

Description The issue allows a registered user to store JavaScript in markdown notes fields, which are then displayed to other logged-in users who visit the same page and executed. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 0.16.5, update to release version 0.16.5 or later to address the issue. As a temporary workaround, consider disabling the markdown notes fields until the update is applied. Restrict access to the markdown rendering library - easymde - to minimize the risk of exploitation. Avoid using the markdown notes fields in the affected pages until the issue is resolved.