CVE-2018-16406

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in the Cabinet app of Mayan EDMS versions before 3.0.2. The issue is located in the JSTree implementation within the template file cabinets/cabinet_details.html (lines 49-52), where the jstree_data variable is rendered unsafely with {{ jstree_data|safe }}. The JSTree does not escape cabinet labels, allowing an attacker to inject arbitrary JavaScript that executes when the cabinet details page is rendered. This affects all installations of Mayan EDMS prior to the 3.0.2 release [1][2][4].

Exploitation

An attacker who can create or modify cabinets in Mayan EDMS can craft a cabinet label containing a malicious payload (e.g., "}]}});prompt(document.domain);jstree({'core':{'data':[{"text":"). When a user clicks the details button for the cabinet, the label is rendered in the JSTree navigation area, breaking the JavaScript context and executing the injected code. No additional user interaction beyond viewing the cabinet details is required [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to cookie theft, session hijacking, defacement of the application interface, or further attacks such as keylogging or data exfiltration. Since the XSS is stored (persistent), the payload affects all users who view the cabinet details, potentially compromising the confidentiality, integrity, and availability of the Mayan EDMS installation [1][4].

Mitigation

The vulnerability is fixed in Mayan EDMS version 3.0.2, which was released after the issue was identified. Users should upgrade to version 3.0.2 or later to eliminate the vulnerability. The recommended fix is to HTML-encode cabinet labels before passing them to the JSTree template, rather than relying on blacklisting characters. As of the publication date, no workaround is documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2][4].