Static Code Injection in collectiveaccess/pawtucket2


Reported on

Sep 30th 2021


This is with reference to another SSRF report I made ( in which the fix was to filter external src from images. Pawtucket2 makes use of the same code as Providence to filter HTML, however it does not include the new fix present in, allowing attackers to still inject an img with a src to external URL.


It is possible inject <img src=""> as the name of a Lightbox, confirming that we still can inject html with external src.


HTML injection with img tags of external src is possible. It may be escalated to an SSRF with reference to the earlier report I made provided the attacker can inject HTML into somwehere which will be rendered as PDF.

Recommended Fix

Copy this fix to the below permalink.

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 years ago
CollectiveAccess validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


We know we need to replicate this. Thanks for the prod.

CollectiveAccess marked this as fixed with commit 5a3c20 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation