Persistent Cross Site Scripting
Hi Team,
I have found another Persistent Cross Site Scripting instance in the code.
Location:
The vulnerable code lies in following file: https://gitlab.com/mayan-edms/mayan-edms/blob/master/mayan/apps/appearance/static/appearance/js/mayan_app.js
The vulnerable line of code is line 62 and 71.
App.tagSelectionTemplate = function (tag, container) {
var $tag = $(
'<span class="label label-tag" style="background: ' + tag.element.dataset.color + ';"> ' + tag.text + '</span>'
);
container[0].style.background = tag.element.dataset.color;
return $tag;
}
App.tagResultTemplate = function (tag) {
if (!tag.element) { return ''; }
var $tag = $(
'<span class="label label-tag" style="background: ' + tag.element.dataset.color + ';"> ' + tag.text + '</span>'
);
return $tag;
}
Attack Scenario/ Steps:
- Create a tag with label value as test
- Then go to documents and select new document
- Then select document type
- Now on next screen there is option to select tags. When you click on the input field, above mentioned script executes and creates a new span to display available tag names. In this span tag label value is not escaped so the user's script will execute.
The spans generated to view available tags would look like this:
<span class="label label-tag" style="background: #000000;"> test<script>prompt(document.domain)</script> </span>
Proposed Mitigation:
I would recommend to html encode the tag.text
value on line 62 and 71.
Let me know in case any other details are required. I would also be requesting a CVE for this, once the patch is pushed.