GHSA-85q9-7467-r53q: 
Python vulnerability analysis and mitigation

A high-severity XSS vulnerability (GHSA-85q9-7467-r53q) was discovered in InvenTree's implementation of EasyMDE markdown editor. The vulnerability affects versions prior to 0.7.3, where the editor fails to sanitize input data in various places, particularly in the 'notes' fields associated with different models. The issue was published on June 16, 2022, and last updated on January 12, 2023 (GitHub Advisory).

The vulnerability stems from EasyMDE's default configuration which does not sanitize input data, allowing potential injection of malicious code into the markdown editor that can be executed in users' browsers. The vulnerability is classified as CWE-79 (Cross-site Scripting) and has been assigned a High severity rating. It's important to note that the exploitation requires an authorized user to upload malicious data to the database, limiting the risk to trusted users (GitHub Advisory).

The vulnerability allows malicious code injection through the markdown editor, which can then be executed in users' browsers. However, the impact is somewhat limited as the attack vector requires an authorized user to upload the malicious data to the database first (GitHub Advisory).

The issue has been addressed with a two-fold solution: enabling data sanitization for the EasyMDE renderer and enforcing cleaning of all data uploaded to the database via the API. These fixes are implemented in version 0.7.3 and the 0.8.0 release. There are no workarounds available without upgrading InvenTree to the specified patched versions (GitHub Advisory).