[GH-ISSUE #316] Cross-Site Scripting (XSS) in Permission Management #250

New issue

Closed

opened 2026-02-25 21:31:32 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 21:31:32 +03:00

Owner

Originally created by @l4rm4nd on GitHub (Feb 26, 2021).
Original GitHub issue: https://github.com/ciur/papermerge/issues/316

Originally assigned to: @ciur on GitHub.

Version: Papermerge 2.0rc35

Group names are not properly escaped, which leads to XSS if the permissions of a document are edited.

Steps to reproduce

First, create a new group with the following XSS payload as group name:

<script>alert(0)</script>

Then proceed and upload an example document into the papermerge application.

Select the document, right-click and chose Permissions.

After clicking the edit, create or view button, the group name's XSS payload is triggered and executed by the browser.

Steps to mitigate this issue

As previously, it is recommended to escape all untrusted user input before reflecting or storing the data.

Originally created by @l4rm4nd on GitHub (Feb 26, 2021). Original GitHub issue: https://github.com/ciur/papermerge/issues/316 Originally assigned to: @ciur on GitHub. Version: Papermerge 2.0rc35 Group names are not properly escaped, which leads to XSS if the permissions of a document are edited. ****Steps to reproduce**** First, create a new group with the following XSS payload as group name: ```` <script>alert(0)</script> ```` ![image](https://user-images.githubusercontent.com/21357789/109238191-63236180-77d3-11eb-9e88-f210009ce562.png) Then proceed and upload an example document into the papermerge application. Select the document, right-click and chose `Permissions`. ![image](https://user-images.githubusercontent.com/21357789/109238351-aaa9ed80-77d3-11eb-9cca-140c720ee425.png) After clicking the `edit`, `create` or `view` button, the group name's XSS payload is triggered and executed by the browser. ![image](https://user-images.githubusercontent.com/21357789/109239020-d9749380-77d4-11eb-89f9-8431b876b3a2.png) ****Steps to mitigate this issue**** As previously, it is recommended to escape all untrusted user input before reflecting or storing the data.

kerem

2026-02-25 21:31:32 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-25 21:31:33 +03:00

Author

Owner

@ciur commented on GitHub (Feb 26, 2021):

@l4rm4nd, thank you for your detailed report. I will take care of XSS fixes!

@ciur commented on GitHub (Feb 26, 2021): @l4rm4nd, thank you for your detailed report. I will take care of XSS fixes!

kerem commented

2026-02-25 21:31:33 +03:00

Author

Owner

@ciur commented on GitHub (Feb 28, 2021):

@l4rm4nd, fix is now part of 2.0.0rc38 release

@ciur commented on GitHub (Feb 28, 2021): @l4rm4nd, fix is now part of [2.0.0rc38 release](https://github.com/ciur/papermerge/releases/tag/v2.0.0rc38)

kerem commented

2026-02-25 21:31:33 +03:00

Author

Owner

@l4rm4nd commented on GitHub (Mar 8, 2021):

Seems fixed. Cannot reproduce the XSS vulnerability.

@l4rm4nd commented on GitHub (Mar 8, 2021): Seems fixed. Cannot reproduce the XSS vulnerability. ![image](https://user-images.githubusercontent.com/21357789/110302190-3fdd8b00-7ff9-11eb-9df2-174235b37996.png)