CVE-2020-29456

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-29456

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-29456.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-29456

Aliases

Published

2020-12-02T08:15:10Z

Modified

2025-01-08T07:24:40.200354Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.

References

Affected packages

Git / github.com/ciur/papermerge

Affected ranges

Type: GIT
Repo: https://github.com/ciur/papermerge
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fd38288c9a7b271e33bbdb18794d3525ea78d964

Affected versions

1.*

1.0.0

1.3.0

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.0-alpha

v1.4.0

v1.4.0.rc1

v1.4.0.rc2

v1.4.0.rc3

v1.4.1

v1.5.0

v1.5.0.rc1

v1.5.1