[GH-ISSUE #340] Fixed XSS during file upload time #269

New issue

Closed

opened 2026-02-25 21:31:34 +03:00 by kerem · 3 comments

kerem commented 2026-02-25 21:31:34 +03:00

Owner

Copy link

Originally created by @B3EF on GitHub (Mar 8, 2021).
Original GitHub issue: https://github.com/ciur/papermerge/issues/340

Originally assigned to: @ciur on GitHub.

the rendering of file name during the file upload time has caused an xss.
i have fixed it in your papermerge-js repo please refer this
https://github.com/418sec/papermerge-js

Originally created by @B3EF on GitHub (Mar 8, 2021). Original GitHub issue: https://github.com/ciur/papermerge/issues/340 Originally assigned to: @ciur on GitHub. the rendering of file name during the file upload time has caused an xss. i have fixed it in your papermerge-js repo please refer this https://github.com/418sec/papermerge-js

kerem 2026-02-25 21:31:34 +03:00

• closed this issue
• added the
  bug
  security
  medium impact
  labels

kerem commented 2026-02-25 21:31:35 +03:00

Author

Owner

Copy link

@ciur commented on GitHub (Mar 8, 2021):

@BEFF, thanks for pull request, I will take care !

<!-- gh-comment-id:792936940 --> @ciur commented on GitHub (Mar 8, 2021): @BEFF, thanks for pull request, I will take care !

kerem commented 2026-02-25 21:31:35 +03:00

Author

Owner

Copy link

@B3EF commented on GitHub (Mar 19, 2021):

Hi @ciur any updates?

<!-- gh-comment-id:802478638 --> @B3EF commented on GitHub (Mar 19, 2021): Hi @ciur any updates?

kerem commented 2026-02-25 21:31:35 +03:00

Author

Owner

Copy link

@ciur commented on GitHub (Mar 20, 2021):

See my comment here.
Fixed as part of the issue #338.

<!-- gh-comment-id:803257971 --> @ciur commented on GitHub (Mar 20, 2021): See my comment [here](https://github.com/ciur/papermerge-js/pull/13#issuecomment-803257845). [Fixed](https://github.com/ciur/papermerge-js/commit/88adef6d4d102fcd31c8a270c87a3bba563a1a7a) as part of the issue #338.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

stable/2.0.x

add-warnings-to-2-0-branch

stable/2.1.x

stable/1.5.x

stable/1.4.x

stable/1.2.x

stable/1.3.x

stable/1.1.x

stable/1.0.x

3.5.3

3.5.1

3.5

3.4

3.5.2

3.3.1

3.1

3.0.3

3.0.2

3.2

3.0.1

3.0

2.0.x-with-banner

v2.1.9

v2.1.8

v2.1.7

v2.1.5

v2.1.4

v2.1.1

v2.1.0

v2.1.0b5

v2.1.0b3

v2.1.0b1

v2.0.1

v2.0.0

v2.0.0rc48

v2.0.0rc45

v2.0.0rc43

v2.0.0rc38

v2.0.0rc35

v1.5.5

v1.5.4

v1.5.3

tmp_micro_apps

v1.5.2

v1.5.1

v1.5.0

v1.5.0.rc1

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0.rc3

v1.4.0.rc2

v1.4.0.rc1

v1.2.3

v1.3.0

1.3.0

v1.3.0-alpha

v1.2.2

v1.2.1

v1.2.0

v1.1.0

1.0.0

v1.0.0

Labels

Clear labels   

2.1

  

3.0

  

3.0.1

  

3.0.2

  

3.0.3

  

3.0.3

  

3.1

  

3.2

  

3.2

  

3.3

  

3.5

  

3.x

  

Fixed. Waiting for feedback.

  

Fixed. Waiting for feedback.

  

UX

  

Version 2.1 - alpha

  

XSS

  

announcement

  

beta

  

blocker

  

bug

  

cannot reproduce

  

confirmed

  

confirmed

  

critical

  

demo

  

dependencies

  

deployment

  

detchnical debt

  

discussion

  

docker

  

documentation

  

donations

  

duplicate

  

enhancement

  

feature request

  

frontend

  

fundraising

  

good first issue

  

good issue

  

help wanted

  

high

  

implemented

  

important

  

improvement

  

incomplete

  

invalid

  

investigation

  

kubernetes

  

low

  

low impact

  

medium

  

medium

  

medium impact

  

migration from 2.0

  

migration from 2.1

  

missing-language

  

missing-ocr-language

  

no-activity

  

note

  

ocr

  

outofscope

  

packaging

  

performance

  

popular request

  

pull-request

Mirrored from GitHub Pull Request

  

pypi

  

question

  

raspberry pi

  

roadmap

  

search

  

security

  

setup

  

status

  

task

  

technical debt

  

updates

  

user xp

  

version 1.4.0 - demo

  

will be implemented

  

will not be implemented

  

wontfix

No labels

2.1

3.0

3.0.1

3.0.2

3.0.3

3.0.3

3.1

3.2

3.2

3.3

3.5

3.x

Fixed. Waiting for feedback.

Fixed. Waiting for feedback.

UX

Version 2.1 - alpha

XSS

announcement

beta

blocker

bug

cannot reproduce

confirmed

confirmed

critical

demo

dependencies

deployment

detchnical debt

discussion

docker

documentation

donations

duplicate

enhancement

feature request

frontend

fundraising

good first issue

good issue

help wanted

high

implemented

important

improvement

incomplete

invalid

investigation

kubernetes

low

low impact

medium

medium

medium impact

migration from 2.0

migration from 2.1

missing-language

missing-ocr-language

no-activity

note

ocr

outofscope

packaging

performance

popular request

pull-request

pypi

question

raspberry pi

roadmap

search

security

setup

status

task

technical debt

updates

user xp

version 1.4.0 - demo

will be implemented

will not be implemented

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/papermerge#269

No description provided.