Impact
Uploading a malicious SVG file as an attachment to an InvenTree page can expose users to potential XSS or similar attack vectors. Attackers could use a malicious SVG file to steal user's browser cookies or other data.
Patches
This issue is patched in 0.8.3 and 0.9.0
Workarounds
Users should avoid opening any uploaded svg files in their web browser. Instead, download the file to your local computer and open with a separate SVG viewer
References
Stored XSS via SVG File
For more information
If you have any questions or comments about this advisory:
Open an issue in github
Email us at [email protected]
Impact
Uploading a malicious SVG file as an attachment to an InvenTree page can expose users to potential XSS or similar attack vectors. Attackers could use a malicious SVG file to steal user's browser cookies or other data.
Patches
This issue is patched in 0.8.3 and 0.9.0
Workarounds
Users should avoid opening any uploaded svg files in their web browser. Instead, download the file to your local computer and open with a separate SVG viewer
References
Stored XSS via SVG File
For more information
If you have any questions or comments about this advisory:
Open an issue in github
Email us at [email protected]