CVE-2024-47610: Stored XSS Vulnerability in InvenTree

Updated: October 18th, 2024
3 mins read
Stored XSS Vulnerability in InvenTree

Product Name: InvenTree Inventory Management System
Vulnerability: Stored XSS
Vulnerable Versions: Below InvenTree 0.16.5
CVE: CVE-2024-4761

Astra Security identified a vulnerability in the InvenTree Inventory Management System on October 2nd, 2024, which has since been patched. This vulnerability, CVE-2024-47610, is stored cross-site scripting (stored XSS) that targets versions of InvenTree below 0.16.5, where ‘Markdown,’ in the Notes feature, can enable attackers to run code.

Cross-site scripting vulnerabilities allow a hacker to inject HTML code into an application and affect the users who intercept the code. In this case, the vulnerability affects InvenTree, an inventory management application many people and organizations use. The vulnerability was fixed before it aired, and a fix is available.

CVE-2024-47610: Technical Breakdown

Exploitation Attempts

No data is currently available on how many exploitation attempts were made before the vulnerability was discovered and patched. However, using the ‘Markdown’ feature in the application created a significant risk of exploitation until the problem was sorted out.

How Was It Discovered?

Astra scanned its application for security vulnerabilities, and a weakness was discovered in InvenTree’s ‘Notes’ feature. The application sanitized HTML characters in user inputs but did not correctly filter out JavaScript embedded into the Markdown links. This vulnerability involved the injection of scripts tagged in Markdown by an abuser with an Engineer account.

During Astra’s analysis, they also discovered that injecting the following Markdown into the Notes section could exploit the flaw:

# [HELLO ClickME](javascript:alert(1))

This script would run if the button were clicked by an admin or any other user, which can lead to an account breach or subsequent malicious activities. 

Recreating the Vulnerability

The vulnerability can be reproduced by executing the following steps:

  • Log into the InvenTree system with an Engineer-level user account.
  • Navigate to the ‘Notes’ section and insert a markdown link containing a JavaScript payload, as shown in the example above.
  • Save the note.
  • The script is executed when an administrator or user clicks on the injected link.

Impact

The vulnerability, rated high (CVSS score: 7.3), could be abused to capture user accounts and perform whatever the attacker wishes, depending on his aim. If effectively exploited, it could result in a break-in and theft of genuine and valid authorization details or unauthorized access to their secret data.

Current Status and Mitigation

Discovery Timeline

Vulnerability reported: September 30, 2024

Fix released: October 2, 2024

Current Status

This release and two of InvenTree’s distributions—InvenTree v 0.16.5 and InvenTree v 0.17.0—have fixed the issue. Those using earlier versions are advised to upgrade as soon as possible to avert misuse. Patent use is also encouraged since more users mean a ready market, hence the continued attacks.

Mitigation Techniques

To prevent exploitation of this vulnerability, InvenTree has implemented several mitigation techniques:

  • Sanitize all input data in general, especially when filtering out or escaping all XSS scripts that can be located within external Markdown links.
  • Ensuring correct Content Security Policies (CSP) were implemented to avoid running unauthorized scripts.
  • User inputs must be subjected to rigorous validation, primarily via Markdown or any rich text format.
  • Administrators should upgrade their InvenTree to the latest version and check that input sanitizations work on every interface administrators’ users interact with.

This vulnerability is a good reminder that no input should be trusted. This is especially true for features like Markdown, which can let you format text very complexly. InvenTree’s quick identification of the loophole and subsequent patch release show the effectiveness of vulnerability disclosure and corporate interaction between developers and researchers.