CVE-2020-29456: Cross-site scripting in papermerge

April 20, 2021 (updated October 9, 2024)

Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document’s filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.

References

github.com/advisories/GHSA-9w49-m7xh-5r39
github.com/ciur/papermerge
github.com/ciur/papermerge/issues/228
github.com/ciur/papermerge/releases/tag/v1.5.2
github.com/pypa/advisory-database/tree/main/vulns/papermerge/PYSEC-2020-74.yaml
nvd.nist.gov/vuln/detail/CVE-2020-29456
www.papermerge.com/

Detect and mitigate CVE-2020-29456 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →