Impact
A path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: encode_svg_image(), asset(), and uploaded_image() in src/backend/InvenTree/report/templatetags/report.py.
This requires staff access (to upload / edit templates with maliciously crafted tags).
If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory.
Patches
This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions.
Workarounds
None
References
#11579
This attack must be performed by an authenticated user. Refer to the InvenTree threat model documentation, which covers our "assumed level of trust":
https://docs.inventree.org/en/latest/concepts/threat_model/
alonaki Reporter
Impact
A path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:
encode_svg_image(),asset(), anduploaded_image()insrc/backend/InvenTree/report/templatetags/report.py.This requires staff access (to upload / edit templates with maliciously crafted tags).
If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory.
Patches
This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions.
Workarounds
None
References
#11579
This attack must be performed by an authenticated user. Refer to the InvenTree threat model documentation, which covers our "assumed level of trust":
https://docs.inventree.org/en/latest/concepts/threat_model/