CVE-2020-29456
Description
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
papermergePyPI | >= 1.2.0, < 1.5.2 | 1.5.2 |
Affected products
2- Papermerge/Papermergedescription
Patches
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input before it is placed in web page output allows stored cross-site scripting."
Attack vector
An attacker creates a folder, tag, or document whose name contains a JavaScript or HTML payload (e.g., `XSS Folder<script>alert('XSS');</script>`). When any user (including the attacker) opens that folder in the Papermerge web application, the browser executes the injected script [ref_id=1]. If email consumption is configured, a malicious document can be sent by email and is automatically uploaded, requiring no authentication to trigger the XSS. Otherwise, the attacker must first authenticate to the application.
Affected code
The vulnerability exists in the folder creation, rename, tag, upload, and create folder functions of Papermerge. The advisory [ref_id=1] demonstrates that user-supplied folder names are not sanitized before being rendered in the browser when the folder is opened.
What the fix does
The advisory [ref_id=1] recommends that user input be properly validated and sanitized before being rendered in the web page, referencing OWASP XSS prevention guidance. No patch diff is provided in the bundle; the fix was released in Papermerge version 1.5.2, which neutralizes user-controllable input before it is placed in output used as a web page.
Preconditions
- authIf email consumption is configured, no authentication is required; otherwise the attacker must be authenticated.
- inputThe attacker must be able to create or rename a folder, tag, or document, or upload a file with a crafted name.
- inputA victim user must open the folder, tag, or document containing the malicious payload.
Reproduction
1. Log in to the Papermerge web application. 2. Create a new folder named `XSS Folder<script>alert('XSS');</script>` (without quotes). 3. Open the newly created folder. The browser executes the JavaScript payload, displaying an alert box [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9w49-m7xh-5r39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29456ghsaADVISORY
- github.com/ciur/papermerge/issues/228ghsax_refsource_MISCWEB
- github.com/ciur/papermerge/releases/tag/v1.5.2ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/papermerge/PYSEC-2020-74.yamlghsaWEB
- www.papermerge.comghsaWEB
- www.papermerge.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.