CVE-2024-47610 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2024-47610?

CVE-2024-47610 has a CVSS score of 7.3 (HIGH). This is a stored cross-site scripting (XSS) vulnerability in InvenTree inventory management system. Registered users can inject malicious JavaScript into markdown notes fields, which then executes in the browsers of other logged-in users viewing those notes. All InvenTree instances running versions before 0.16.5 are affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in InvenTree inventory management system. Registered users can inject malicious JavaScript into markdown notes fields, which then executes in the browsers of other logged-in users viewing those notes. All InvenTree instances running versions before 0.16.5 are affected.

💻 Affected Systems

Products:

InvenTree

Versions: All versions before 0.16.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have registered user account; affects markdown notes functionality

📦 What is this software?

Inventree by Inventree Project

View all CVEs affecting Inventree →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through credential theft.

🟠

Likely Case

Attackers with registered user accounts inject malicious scripts to steal session tokens or perform unauthorized actions within the application.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized and displayed as harmless text.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access; stored XSS payloads are simple to craft

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.5 and later

Vendor Advisory: https://github.com/inventree/InvenTree/security/advisories/GHSA-wp3m-jhgv-rhqr

Restart Required: Yes

Instructions:

1. Backup your database and configuration. 2. Update InvenTree to version 0.16.5 or later using your deployment method (pip, Docker, etc.). 3. Restart the application service. 4. Verify the update was successful.

🧯 If You Can't Patch

Disable user registration to prevent new malicious accounts
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check InvenTree version via web interface admin panel or by examining the deployment configuration

Check Version:

Check InvenTree web interface or deployment logs for version information

Verify Fix Applied:

After updating, test markdown fields by attempting to insert JavaScript payloads and verify they are sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual markdown content with script tags or JavaScript code
Multiple failed login attempts followed by markdown creation

Network Indicators:

Outbound connections to suspicious domains after viewing markdown content

SIEM Query:

search for 'markdown' AND ('script' OR 'javascript' OR 'onload' OR 'onerror') in application logs

📊 Metadata

CVE ID: CVE-2024-47610

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: October 7, 2024

Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47610, you might also want to check these: