Stored XSS in Customer Company Description in inventree/inventree


Reported on

Jun 13th 2022


The application inventree is vulnerable to Stored XSS in customer company description field.

Proof of Concept

Video PoC Link:


This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the inventree team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the inventree team and are waiting to hear back 2 years ago
Oliver validated this vulnerability 2 years ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver marked this as fixed in 0.7.2 with commit 26bf51 2 years ago
Oliver has been awarded the fix bounty
2 years ago


@admin Can you assign CVE?

to join this conversation