Mayan EDMS Tag XSS
Description
A stored XSS vulnerability in Mayan EDMS's tagging system allows privileged users to inject arbitrary JavaScript via tag labels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Mayan EDMS's tagging system allows privileged users to inject arbitrary JavaScript via tag labels.
Vulnerability
Overview
CVE-2022-47419 is a stored cross-site scripting (XSS) vulnerability in Mayan EDMS, an open-source document management system. The flaw resides in the in-product tagging system, where tag labels are not properly sanitized before being rendered in the Select2 user interface widget. This allows an authenticated user with sufficient privileges to inject arbitrary HTML or JavaScript code that persists within the application [2][3].
Exploitation
Successful exploitation requires a privileged account — it is not possible for guest, anonymous, or unauthenticated visitors to trigger the vulnerability. An attacker must have access to the tagging feature and create or modify a tag label containing malicious script content. The injected code executes when other users interact with the tag selection interface (e.g., attaching or removing tags from documents) [3]. The vendor states that the attack cannot bypass Mayan EDMS's access controls or expose arbitrary information outside the tagging context [3].
Impact
While the XSS can execute arbitrary JavaScript in the context of the victim's session, the vendor notes that the impact is limited. Because Mayan EDMS uses Django with SESSION_COOKIE_HTTPONLY enabled by default since version 1.4 (March 2012), session cookies are not accessible via JavaScript, preventing standard session theft via this XSS. The vulnerability is reported as a “limited scope weakness of the tagging system markup” that can display arbitrary text when selecting tags [3].
Mitigation
Version 4.3.6 of Mayan EDMS backports the fix by sanitizing tag labels in the Select2 widget template [3]. Users are advised to upgrade to this release or later. No workarounds are provided for earlier versions. The issue was disclosed by Rapid7 researcher Matthew Kienow; the vendor did not respond to initial disclosure attempts but later released the patch [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mayan-edmsPyPI | < 4.3.6 | 4.3.6 |
Affected products
2- Range: 4.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The in-product tagging system does not properly neutralize user-supplied input before rendering it in the web interface, leading to cross-site scripting."
Attack vector
An attacker can inject malicious script into the 'Label' field when creating a new tag within the Mayan EDMS tagging system [ref_id=1]. This script is then stored by the application. When another user views documents and accesses the 'Attach tags' functionality, the stored script is executed in their browser [ref_id=1]. This stored cross-site scripting vulnerability allows for various post-exploitation techniques, such as stealing session cookies to impersonate users or injecting commands using tools like BeEF [ref_id=1].
Affected code
The vulnerability is present in the in-product tagging system of Mayan EDMS. Specifically, the 'Label' field during tag creation is susceptible to script injection [ref_id=1]. The stored script is then executed when a user interacts with the 'Attach tags' button on a document's preview page [ref_id=1].
What the fix does
The advisory does not specify a patch or vendor update for this vulnerability. Administrators are advised to limit the creation of anonymous or untrusted users, as guest access may be sufficient to launch these stored XSS attacks against more privileged users. Until a fix is provided, only trusted users should be permitted to use features like messaging, chat, document renaming, and document versioning [ref_id=1].
Preconditions
- authThe attacker needs to be able to create tags within the system. In some cases, guest access may be sufficient [ref_id=1].
- inputThe attacker must inject script into the 'Label' field when creating a new tag.
Reproduction
Click Tags and then the “Create new tag” link in the panel on the left. In the Label field enter a tag such as `<script>alert('XSS-tag-label')</script>`. Click the Save button. Select Documents and then the “All documents” link in the panel on the left. Click a document to open the document preview. Click the Tags link on the panel to the right. Click the “Attach tags” button. Click in the Tags drop-down menu and the XSS will execute in the user’s web browser [ref_id=1].
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-5m6v-2xgf-qhrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-47419ghsaADVISORY
- www.mayan-edms.com/news/2023/02/version-4.3.6/mitrerelease-notesvendor-advisory
- www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/mitrethird-party-advisory
- github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2023-276.yamlghsaWEB
- www.mayan-edms.com/news/2023/02/version-4.3.6ghsaWEB
- www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419ghsaWEB
News mentions
0No linked articles in our index yet.