PYSEC-2020-74

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/papermerge/PYSEC-2020-74.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-74

Aliases

Published

2020-12-02T08:15:00Z

Modified

2023-11-01T04:53:00.101992Z

Summary

[none]

Details

Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.

References

Affected packages

PyPI / papermerge

Package

Name: papermerge; View open source insights on deps.dev
Purl: pkg:pypi/papermerge

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0

Fixed

1.5.2

Affected versions

1.*

1.2.0

1.3.0