New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross-Site Scripting (XSS) #228
Comments
|
@l4rm4nd, really good one! Thank you for opening this security issue. I will fix it and ship it as part of 1.5.1 release. |
|
BTW, this also works for uploaded file names. Steps to reproduce
Proof of concept |
|
Payloads are also reflected in the logs area https://demo.papermerge.com/admin/logs |
|
@l4rm4nd, oh, man, thank you for your security audit. I will fix issues in following days and release 1.5.1 with those security fixes. |
|
Sure, no worries! Thanks for your fast replies and the will to fix the issues. BTW, tags are also susceptible to XSS. Steps to reproduce
|
|
fixes for XSS issues so far (work in progress): |
|
@l4rm4nd Thank you again for your detailed audit! |
|
Catching and preventing malicious user input such as XSS payloads with a custom regex might work, but is not complete. I'm not an expert in Django but I remember some built-in escaping functions such as
But I will also test some stuff after your fix release. |
|
Identified XSS vectors mitigated by release 1.5.2 |




Description
Improper validation of user input leads to stored cross-site scripting (XSS) or HTML injection in the papermerge web application. If a user inserts JavaScript or HTML code into a folder name, the specified payload will be executed on opening the folder.
Expected
Specifying potentially malicious client side code should not be executed in the web application by the browser.
Actual
The browser successfully executes the specified JS or HTML payloads if the newly created folder is opened.
Steps to reproduce
Impact
This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack.
Likelihood
Authentication is required to access the papermerge web application.
Recommendation
Do not trust any user input and validate inputs properly. See https://owasp.org/www-community/attacks/xss/
Info:
Tested in the publicly available demo page. https://demo.papermerge.com/admin/browse
The text was updated successfully, but these errors were encountered: