[GH-ISSUE #338] Reflected Cross-Site Scripting (XSS) in Upload Error Messages #270

New issue

Closed

opened 2026-02-25 21:31:34 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 21:31:34 +03:00

Owner

Originally created by @l4rm4nd on GitHub (Mar 8, 2021).
Original GitHub issue: https://github.com/ciur/papermerge/issues/338

Originally assigned to: @ciur on GitHub.

Affected versions: potentially >= 1.5.2

Hey @ciur,

unfortunately, I've again identified an XSS issue. However, the likelihood for exploitation is very low, since it is a reflected self-xss, which cannot be exploited by a remote attacker.

Description

Although the application successfully blocks uploaded filenames with unsafe characters, the displayed error message does not properly sanitize the reflected filename. Therefore, if a user uploads a filename with an XSS payload, the file gets successfully blocked and is not uploaded into the application, but the XSS filename is reflected in the displayed error message and instantly executed by the browser.

Example filenames to trigger XSS:

Sun'><img src=x onerror=alert(1)>set.jpg

XSS"><iframe src=" javascript:alert('XSS');">.pdf

Note: Filenames with special chars are usually only allowed in Unix/Linux operating systems.

Recommendation

Escape all untrusted user input before storing it into the database or reflecting it in the web application. If user input is always properly escaped, there might be even no need for blocking specific characters.

Originally created by @l4rm4nd on GitHub (Mar 8, 2021). Original GitHub issue: https://github.com/ciur/papermerge/issues/338 Originally assigned to: @ciur on GitHub. **Affected versions**: potentially >= 1.5.2 Hey @ciur, unfortunately, I've again identified an XSS issue. However, the likelihood for exploitation is very low, since it is a reflected self-xss, which cannot be exploited by a remote attacker. **Description** Although the application successfully blocks uploaded filenames with unsafe characters, the displayed error message does not properly sanitize the reflected filename. Therefore, if a user uploads a filename with an XSS payload, the file gets successfully blocked and is not uploaded into the application, but the XSS filename is reflected in the displayed error message and instantly executed by the browser. Example filenames to trigger XSS: ```` Sun'><img src=x onerror=alert(1)>set.jpg ```` ```` XSS"><iframe src=" javascript:alert('XSS');">.pdf ```` **Note**: Filenames with special chars are usually only allowed in Unix/Linux operating systems. ![image](https://user-images.githubusercontent.com/21357789/110308998-19235280-8001-11eb-8579-0186814f74ec.png) ![image](https://user-images.githubusercontent.com/21357789/110309111-3821e480-8001-11eb-95e0-20d8c073c418.png) **Recommendation** Escape all untrusted user input before storing it into the database or reflecting it in the web application. If user input is always properly escaped, there might be even no need for blocking specific characters.

kerem

2026-02-25 21:31:34 +03:00

closed this issue
added the
bug

security

good issue

low impact
labels

kerem commented

2026-02-25 21:31:35 +03:00

Author

Owner

@ciur commented on GitHub (Mar 8, 2021):

@l4rm4nd, thanks for detailed report, I highly appreciate it!

@ciur commented on GitHub (Mar 8, 2021): @l4rm4nd, thanks for detailed report, I highly appreciate it!

kerem commented

2026-02-25 21:31:35 +03:00

Author

Owner

@ciur commented on GitHub (Mar 20, 2021):

Here is the fix.

@ciur commented on GitHub (Mar 20, 2021): Here is the [fix](https://github.com/ciur/papermerge-js/commit/88adef6d4d102fcd31c8a270c87a3bba563a1a7a).

kerem commented

2026-02-25 21:31:35 +03:00

Author

Owner

@ciur commented on GitHub (Apr 6, 2021):

Fix is now part of version 2.0

@ciur commented on GitHub (Apr 6, 2021): Fix is now part of [version 2.0](https://github.com/ciur/papermerge/releases/tag/v2.0.0)