CVE-2018-16405
Description
Mayan EDMS before 3.0.2 suffers from reflected XSS in the Appearance app via direct assignment to window.location.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mayan EDMS before 3.0.2 suffers from reflected XSS in the Appearance app via direct assignment to window.location.
Vulnerability
Mayan EDMS versions before 3.0.2 contain a reflected cross-site scripting (XSS) vulnerability in the Appearance application. The application sets window.location directly to user-controllable input without proper sanitization, allowing an attacker to inject arbitrary JavaScript code [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes the payload in a query parameter processed by the Appearance app. When a victim user with access to Mayan EDMS visits the crafted link, the injected script executes in the context of the victim's session [2]. No authentication or additional privileges are required for the attacker to deliver the payload.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. An attacker can steal session cookies, perform actions on behalf of the victim, deface the application interface, or redirect the user to malicious sites. The scope of the attack is limited to the Mayan EDMS application domain and the victim's browser session [2].
Mitigation
The fix was released in Mayan EDMS version 3.0.2 [1][2]. Users should upgrade to 3.0.2 or later. There is no known workaround for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mayan-edmsPyPI | < 3.0.2 | 3.0.2 |
mayan-edms-ngPyPI | < 3.0.2 | 3.0.2 |
Affected products
2- ghsa-coords2 versions
< 3.0.2+ 1 more
- (no CPE)range: < 3.0.2
- (no CPE)range: < 3.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-fpcv-j2q9-vqhwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16405ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mayan-edms-ng/PYSEC-2018-16.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2018-106.yamlghsaWEB
- gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rstghsax_refsource_MISCWEB
- gitlab.com/mayan-edms/mayan-edms/commit/9ebe80595afe4fdd1e2c74358d6a9421f4ce130eghsax_refsource_MISCWEB
- gitlab.com/mayan-edms/mayan-edms/issues/494ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.