InvenTree Path Traversal Vulnerability in Report Template Engine Allowing Arbitrary File Read

A path traversal vulnerability has been identified in InvenTree, an open-source inventory management system, prior to version 1.2.6. This vulnerability exists in the report template engine, where a staff-level user can read arbitrary files from the server's filesystem by using crafted template tags. The issue affects the 'encode_svg_image()', 'asset()', and 'uploaded_image()' functions in the report template tags module. Exploitation requires staff access to upload or edit templates with malicious tags. If the InvenTree installation has high access privileges on the host system, this vulnerability could allow file access outside of the InvenTree source directory.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files from the server's filesystem, potentially accessing sensitive information outside of the InvenTree source directory if high host privileges are granted.

Remediation

Users should update to InvenTree version 1.2.6 or 1.3.0 and above, where this vulnerability has been patched. No known workarounds are available.