By uploading SVG files, the users can perform Stored XSS attack.
Copy the following code and save as filename.svg.
<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
[1] Login as user with upload permission.
[2] upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/
[3] Copy the uploaded svg file url and open in new tab. (every logged user can access to this url)
[4] XSS ! (https://demo.inventree.org/media/so_files/3/yourfile.svg)
if you need more specific information, feel free to contact me.