Cross-site Scripting (XSS) - Generic in ciur/papermerge-js


Reported on

Feb 14th 2021


Papermerge is an open source document management system (DMS) primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directly upload to Papermerge DMS. Papermerge DMS on its turn will extract text data from the scanned documents using Optical Character Recognition (OCR) technology the index it and make it searchable. You will be able to quickly find any (scanned!) document using full text search capabilities. Papermerge is perfect tool to manage PDF, JPEG, TIFF and PNG formats. papermerge-js is the Frontend of papermerge-js.

Technical Description

XSS in papermerge DMS via rendering of unsanitized tag name in the input label.

Proof of Concept

  • XSS payloads Used for exploit :
    • blind xss payload : "><script src=></script> use your own blind payloads
    • Reflected XSS payload : <img src=x onerror=alert(1337)>
  1. setup papermerge in your localhost
  2. move to
  3. put the payload in the Name field
  4. BOOM !! XSS triggered Screenshot from 2021-02-08 18-38-37
to join this conversation