[PR #301] [MERGED] Security Fix for XSS - huntr.dev #575

New issue

Closed

opened 2026-02-25 21:32:17 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 21:32:17 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ciur/papermerge/pull/301
Author: @huntr-helper
Created: 2/9/2021
Status: ✅ Merged
Merged: 2/9/2021
Merged by: @ciur

Base: stable/1.5.x ← Head: stable/1.5.x

📝 Commits (3)

5d90f1e escape html entities in script
337141d escape html entities in db
0a0c803 Merge pull request #1 from d3v53c/stable/1.5.x

📊 Changes

2 files changed (+25 additions, -2 deletions)

View changed files

📝 papermerge/contrib/admin/static/admin/js/papermerge.debug.js (+14 -1)
📝 papermerge/core/views/metadata.py (+11 -1)

📄 Description

@d3v53c (https://huntr.dev/users/d3v53c) has fixed a potential XSS vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

User Comments:

📊 Metadata *

Papermerge is an open source document management system (DMS) primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directly upload to Papermerge DMS.. This package is vulnerable for (XSS).

https://github.com/ciur/papermerge https://pypi.org/project/papermerge/

Bounty URL: https://www.huntr.dev/bounties/1-pip-papermerge/

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

💻 Technical Description *

Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution.

🐛 Proof of Concept (PoC) *

clone https://github.com/ciur/papermerge or use demo https://demo.papermerge.com/
add jscode in meta form. Payload used : ">

🔥 Proof of Fix (PoF) *

Before:
https://drive.google.com/file/d/1AovUz4yG46RRVCRlohd1-YyTlO_edEKg/view?usp=sharing

After:

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected

🔗 Relates to...

https://github.com/418sec/huntr/pull/1490/files

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ciur/papermerge/pull/301 **Author:** [@huntr-helper](https://github.com/huntr-helper) **Created:** 2/9/2021 **Status:** ✅ Merged **Merged:** 2/9/2021 **Merged by:** [@ciur](https://github.com/ciur) **Base:** `stable/1.5.x` ← **Head:** `stable/1.5.x` --- ### 📝 Commits (3) - [`5d90f1e`](https://github.com/ciur/papermerge/commit/5d90f1e2b97dd5ad216b34d92118902e551f75be) escape html entities in script - [`337141d`](https://github.com/ciur/papermerge/commit/337141d10f3fdfb59c4db2700266d87df710cf2e) escape html entities in db - [`0a0c803`](https://github.com/ciur/papermerge/commit/0a0c80360822ec2a36262fa0997c5ae5cead7a00) Merge pull request #1 from d3v53c/stable/1.5.x ### 📊 Changes **2 files changed** (+25 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `papermerge/contrib/admin/static/admin/js/papermerge.debug.js` (+14 -1) 📝 `papermerge/core/views/metadata.py` (+11 -1) </details> ### 📄 Description @d3v53c (https://huntr.dev/users/d3v53c) has fixed a potential XSS vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below... Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/papermerge/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/papermerge/1/README.md ### User Comments: ### 📊 Metadata * `Papermerge `is an open source document management system (DMS) primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directly upload to Papermerge DMS.. This package is vulnerable for (XSS). `https://github.com/ciur/papermerge https://pypi.org/project/papermerge/` #### Bounty URL: https://www.huntr.dev/bounties/1-pip-papermerge/ ### ⚙️ Description * Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. ### 💻 Technical Description * Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution. ### 🐛 Proof of Concept (PoC) * 1. clone https://github.com/ciur/papermerge or use demo https://demo.papermerge.com/ 2. add jscode in meta form. Payload used : "><img src=x onerror=alert(137)> ### 🔥 Proof of Fix (PoF) * Before: `https://drive.google.com/file/d/1AovUz4yG46RRVCRlohd1-YyTlO_edEKg/view?usp=sharing` After: ![image](https://user-images.githubusercontent.com/64132745/107263892-50d1c580-6a68-11eb-9a52-47c1d60b55eb.png) ### 👍 User Acceptance Testing (UAT) After the fix, functionality is unaffected ### 🔗 Relates to... https://github.com/418sec/huntr/pull/1490/files --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>