Stored XSS via SVG File in inventree/inventree
Sep 16th 2022
By uploading SVG files, the users can perform Stored XSS attack.
Copy the following code and save as filename.svg.
Proof of Concept
 Login as user with upload permission.
 upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/
 Copy the uploaded svg file url and open in new tab. (every logged user can access to this url)
 XSS ! (https://demo.inventree.org/media/so_files/3/yourfile.svg)
if you need more specific information, feel free to contact me.
If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.