Skip to content

Stored Cross-Site Scripting (XSS) #228

Closed
@l4rm4nd

Description

@l4rm4nd

Description
Improper validation of user input leads to stored cross-site scripting (XSS) or HTML injection in the papermerge web application. If a user inserts JavaScript or HTML code into a folder name, the specified payload will be executed on opening the folder.

Expected
Specifying potentially malicious client side code should not be executed in the web application by the browser.

Actual
The browser successfully executes the specified JS or HTML payloads if the newly created folder is opened.

Steps to reproduce

  1. Login to papermerge web application https://demo.papermerge.com/admin/browse
  2. Create a new folder named "XSS Folder<script>alert('XSS');</script>" without the quotes
  3. Open the newly created folder with XSS payload and experience a JavaScript XSS popup saying "XSS".

Impact
This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack.

Likelihood
Authentication is required to access the papermerge web application.

Recommendation
Do not trust any user input and validate inputs properly. See https://owasp.org/www-community/attacks/xss/

Info:
Tested in the publicly available demo page. https://demo.papermerge.com/admin/browse

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions