Skip to content

Formula Injection in Exported Data

Moderate severity GitHub Reviewed Published Jun 15, 2022 in inventree/InvenTree • Updated Jan 12, 2023

Package

pip inventree (pip)

Affected versions

< 0.7.2

Patched versions

0.7.2

Description

Impact

Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection

Patches

  • The issue is addressed in the upcoming 0.8.0 release
  • This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release

Workarounds

Users exporting untrusted data should open the files in safe mode (e.g. in Microsoft Excel).

References

For more information

If you have any questions or comments about this advisory:

References

@SchrodingersGat SchrodingersGat published to inventree/InvenTree Jun 15, 2022
Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jan 12, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-7rq4-qcpw-74gq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.