Skip to content

Persistent Cross Site Scripting

Hi Team,

I've observed a Persistent Cross Site Scripting bug in the code. The issue lies in the JSTree implementation.

Location:

The vulnerable code lies in following file: https://gitlab.com/mayan-edms/mayan-edms/blob/master/mayan/apps/cabinets/templates/cabinets/cabinet_details.html

The vulnerable line of code is line 49-52.

                        'data' : [
                            {{ jstree_data|safe }}

                        ]

Attack Scenario/ Steps:

If a user creates a cabinet with following label "}]}});prompt(document.domain);jstree({'core':{'data':[{"text":" and then clicks on details button to view the cabinet details. A navigation area is created via JSTree which displays this label name as well. Now since JSTree is not escaping the label names, the " will break the context and the final view of data will be like this.

'data' : [
                            {
"text": ""}]}});prompt(document.domain);jstree({'core':{'data':[{"text":"",
"state": { "opened": true, "selected": true },
"data": { "href": "/cabinets/1/" },
},
                        ]

Where "}]}}); will satisfy upper script part and ;jstree({'core':{'data':[{"text":" will satisfy lower script part and prompt(document.domain) will execute while rendering.

Proposed Mitigation: I have two ideas for the mitigation part.

  1. html encode the cabinet labels before passing them to JSTree.
  2. Blacklist the " and ' and ( and ) characters for cabinet label.

Though I would recommend to go for first option. Also I found a almost similar thread for JStree escaping issue, maybe it will be of some help: https://github.com/vakata/jstree/issues/756

Let me know in case any other details are required. I would also be requesting a CVE for this, once the patch is pushed.