Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cross-Site Scripting (XSS) in Automation Tags

See original GitHub issue

Version: Papermerge 2.0rc35

Steps to reproduce

Log into Papermerge and visit the “automates” function located at /admin/automate/add/. Insert the following payload into the “Tags” formular and confirm the new tag by inserting a single comma.


The JavaScript payload gets instantly executed by the browser, which leads to reflected XSS. If the automation with an XSS payload is saved, the issue will evolve to stored XSS.

If the saved automation is browsed again, e.g. via the following URL path /admin/automate/1, the stored JS payload will be executed again.


Steps to mitigate this issue

As previously, it is recommended to escape all untrusted user input before reflecting or storing the data.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

ciurcommented, Feb 26, 2021

@l4rm4nd, danke! As with other high priority bugs (related specifically to 2.0), I will take care of them over the weekend.

l4rm4ndcommented, Mar 8, 2021

Seems fixed. Cannot reproduce the XSS vulnerability.


Read more comments on GitHub >

github_iconTop Results From Across the Web

Cross Site Scripting (XSS) Attack Tutorial with Examples ...
A cross-Site Scripting attack is a malicious code injection, which will be executed in the victim's browser. The malicious script can be saved ......
Read more >
Cross-site scripting (XSS) - Web Security Academy
Cross -site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have...
Read more >
What is Cross-Site Scripting? XSS Cheat Sheet - Veracode
Cross-site scripting attacks, also called XSS attacks, are a type of injection attack that injects malicious code into otherwise safe websites.
Read more >
What is Cross-Site Scripting (XSS)? How to Prevent and Fix It
Cross-site scripting (XSS) is a type of injection attack in which a threat actor inserts data, such as a malicious script, into content...
Read more >
What is XSS | Stored Cross Site Scripting Example - Imperva
Stored XSS attack example ... While browsing an e-commerce website, a perpetrator discovers a vulnerability that allows HTML tags to be embedded in...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found