starred/papermerge

Fork 0

mirror of https://github.com/ciur/papermerge.git synced 2026-04-25 12:05:58 +03:00

tags) #219

New issue

Closed

opened 2026-02-25 21:31:28 +03:00 by kerem · 12 comments

kerem commented

2026-02-25 21:31:28 +03:00

Owner

Originally created by @omemishra on GitHub (Dec 25, 2020).
Original GitHub issue: https://github.com/ciur/papermerge/issues/271

Originally assigned to: @ciur on GitHub.

Dear Team,

Hope you are doing very well, i was looking into the application and i find that i can access to guest option so i was checking your application and i find a stored cross site scripting on Tags option.

Steps:-

Open the following URL "https://demo.papermerge.com/admin/tags"
Click on important
Now in the "Description (optional):" enter the payload "Ome Mishra "><svg/onload=alert("XSS_By_OME")>"
Click on save
Now you will find that your xss will execute successfully.

Impacts:-

Can leads to session hijacking
Redirection
All XSS related issue are very critical

Adding POC down below

Thanks & Regards
Ome

Originally created by @omemishra on GitHub (Dec 25, 2020). Original GitHub issue: https://github.com/ciur/papermerge/issues/271 Originally assigned to: @ciur on GitHub. Dear Team, Hope you are doing very well, i was looking into the application and i find that i can access to guest option so i was checking your application and i find a stored cross site scripting on Tags option. Steps:- 1. Open the following URL "https://demo.papermerge.com/admin/tags" 2. Click on important 3. Now in the "Description (optional):" enter the payload "**Ome Mishra "><svg/onload=alert("XSS_By_OME")>**" 4. Click on save 5. Now you will find that your xss will execute successfully. Impacts:- 1. Can leads to session hijacking 2. Redirection 3. All XSS related issue are very critical Adding POC down below ![POC-1](https://user-images.githubusercontent.com/25466820/103129030-51331e80-46bd-11eb-85cd-897dacf3a716.jpg) ![POC-2](https://user-images.githubusercontent.com/25466820/103129035-53957880-46bd-11eb-81c2-12bd15771c88.jpg) Thanks & Regards Ome

kerem

2026-02-25 21:31:28 +03:00

closed this issue
added the
security

XSS
labels

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Dec 26, 2020):

@omemishra, thank you for your security audit. I will fix this issue.

@ciur commented on GitHub (Dec 26, 2020): @omemishra, thank you for your security audit. I will fix this issue.

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Dec 27, 2020):

Fixed in 1.5.x branch.
Fix is available as part of 1.5.5 release.
This is actually a bug in Django :), it does not escape form input in case of form.save(commit=False)

@ciur commented on GitHub (Dec 27, 2020): Fixed in 1.5.x branch. Fix is available as part of 1.5.5 release. This is actually a bug in Django :), it does not escape form input in case of ```form.save(commit=False)```

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Dec 27, 2020):

Dear Ciur,

Thank you so much for your response , please let me know when it will be fixed so that i can recheck it again.

Regards
Ome

@omemishra commented on GitHub (Dec 27, 2020): Dear Ciur, Thank you so much for your response , please let me know when it will be fixed so that i can recheck it again. Regards Ome

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Jan 4, 2021):

Dear Team,

Let me know if this vulnerability is fixed?

Regards
Ome

@omemishra commented on GitHub (Jan 4, 2021): Dear Team, Let me know if this vulnerability is fixed? Regards Ome

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Jan 4, 2021):

@omemishra, yes it is fixed in latest release (which is 1.5.5)

@ciur commented on GitHub (Jan 4, 2021): @omemishra, yes it is fixed in latest release (which is 1.5.5)

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Jan 4, 2021):

Dear team,

Again i have found the xss

Steps:-

1. Open the following URL "https://demo.papermerge.com/admin/tags"
2. Click on important
3.  Now you can edit the name of tag.... enter the payload "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>"
4. Click on save
5. Now you will find that your xss will execute successfully.

Look like this is not yet fixed...

Regards
Ome

@omemishra commented on GitHub (Jan 4, 2021): Dear team, Again i have found the xss Steps:- 1. Open the following URL "https://demo.papermerge.com/admin/tags" 2. Click on important 3. Now you can edit the name of tag.... enter the payload "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>" 4. Click on save 5. Now you will find that your xss will execute successfully. Look like this is not yet fixed... Regards Ome ![Tag_XSS](https://user-images.githubusercontent.com/25466820/103559595-663d5800-4edc-11eb-8c67-ac9a62f2c101.png)

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Jan 6, 2021):

@omemishra, thanks for feedback!
Will be fixed!

@ciur commented on GitHub (Jan 6, 2021): @omemishra, thanks for feedback! Will be fixed!

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Jan 6, 2021):

Hello Team,

Thanks for your response.

Let me know when it will be fixed.

Regards
Ome

@omemishra commented on GitHub (Jan 6, 2021): Hello Team, Thanks for your response. Let me know when it will be fixed. Regards Ome

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Feb 2, 2021):

@omemishra, fixed. You can check it directly on https://demo.papermerge.com
Credentials are guest/password77a (they are public, as guest account is used for public demo)

@ciur commented on GitHub (Feb 2, 2021): @omemishra, fixed. You can check it directly on https://demo.papermerge.com Credentials are guest/password77a (they are public, as guest account is used for public demo)

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Feb 2, 2021):

Dear @ciur,

thanks for your response i have found more XSS on this application hope there is any bug bounty. hahaha

link:-
https://demo.papermerge.com/document/26/
in images metadata add "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>" and you will see the XSS payload executed successfully

link 2 :
https://demo.papermerge.com/
in folder metadata add "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>" and you will see the XSS payload executed successfully

Also please add client side validation as well because self xss is there on previously reported place.

Regards
Ome

@omemishra commented on GitHub (Feb 2, 2021): Dear @ciur, thanks for your response i have found more XSS on this application hope there is any bug bounty. hahaha link:- https://demo.papermerge.com/document/26/ in images metadata add "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>" and you will see the XSS payload executed successfully link 2 : https://demo.papermerge.com/ in folder metadata add "Ome Mishra "><svg onmouseover=alert("XSS_By_OME")>" and you will see the XSS payload executed successfully Also please add client side validation as well because self xss is there on previously reported place. Regards Ome

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@ciur commented on GitHub (Feb 3, 2021):

@omemishra, at this point there are no bug bounties. The best thing I can do at this moment is to add you to contributors list as security auditor.

I fixed XSS issue for metadata. Demo page features latest code updates (of the master branch).

Thank you for your great help!

@ciur commented on GitHub (Feb 3, 2021): @omemishra, at this point there are no bug bounties. The best thing I can do at this moment is to add you to [contributors list](https://github.com/ciur/papermerge/blob/master/CONTRIBUTORS.md) as security auditor. I [fixed XSS](https://github.com/papermerge/papermerge-core/commit/25a5c66ba9808d446e8d0f07064656a6b7f2afca) issue for metadata. [Demo page](https://demo.papermerge.com) features latest code updates (of the master branch). Thank you for your great help!

kerem commented

2026-02-25 21:31:28 +03:00

Author

Owner

@omemishra commented on GitHub (Feb 6, 2021):

Dear Ciur,

Thanks for adding me in contributor list.
We can test your whole website like VAPT, Please share your email if you want a proper VAPT.

Thanks & Regards
Ome

@omemishra commented on GitHub (Feb 6, 2021): Dear Ciur, Thanks for adding me in contributor list. We can test your whole website like VAPT, Please share your email if you want a proper VAPT. Thanks & Regards Ome

kerem referenced this issue

2026-02-25 21:32:15 +03:00

[PR #219] [MERGED] Introduce document pipelines #567