CVE-2025-50183 (GCVE-0-2025-50183)

Vulnerability from cvelistv5 – Published: 2025-06-19 02:20 – Updated: 2025-06-23 16:57

Title

OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

Summary

OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/OpenListTeam/OpenList/security…	x_refsource_CONFIRM
	https://github.com/OpenListTeam/OpenList-Frontend…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	OpenListTeam	OpenList	Affected: < 4.0.0-rc.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-50183",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-23T16:57:12.849149Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-23T16:57:37.085Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenList",
          "vendor": "OpenListTeam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.0-rc.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in \u003cscript\u003e tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T02:20:32.618Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp"
        },
        {
          "name": "https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175"
        }
      ],
      "source": {
        "advisory": "GHSA-2hw3-h8qx-hqqp",
        "discovery": "UNKNOWN"
      },
      "title": "OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-50183",
    "datePublished": "2025-06-19T02:20:32.618Z",
    "dateReserved": "2025-06-13T19:17:51.726Z",
    "dateUpdated": "2025-06-23T16:57:37.085Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-50183\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-19T03:15:25.717\",\"lastModified\":\"2025-06-23T20:16:59.783\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in \u003cscript\u003e tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4.\"},{\"lang\":\"es\",\"value\":\"OpenList Frontend es un componente de interfaz de usuario para OpenList. Antes de la versi\u00f3n 4.0.0-rc.4, exist\u00eda una vulnerabilidad en la funci\u00f3n de vista previa/exploraci\u00f3n de archivos de la aplicaci\u00f3n. En ciertos modos, los archivos con extensi\u00f3n .py que contienen c\u00f3digo JavaScript entre etiquetas \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-50183\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-23T16:57:12.849149Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-23T16:57:30.755Z\"}}], \"cna\": {\"title\": \"OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer\", \"source\": {\"advisory\": \"GHSA-2hw3-h8qx-hqqp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"OpenListTeam\", \"product\": \"OpenList\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.0.0-rc.4\"}]}], \"references\": [{\"url\": \"https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp\", \"name\": \"https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175\", \"name\": \"https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in \u003cscript\u003e tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-19T02:20:32.618Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-50183\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-23T16:57:37.085Z\", \"dateReserved\": \"2025-06-13T19:17:51.726Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-19T02:20:32.618Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-2HW3-H8QX-HQQP

Vulnerability from github – Published: 2025-06-18 14:41 – Updated: 2025-06-19 15:19

Summary

OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

Details

XSS via .py file containing script tag interpreted as HTML

Summary

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

Affected Versions

<= 4.0.0-rc.3

PoC

Create a .py file with arbitrary JavaScript content wrapped in <script> tags. For example:

<script>alert(document.cookie);</script>

When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.

Attack vector

An attacker can place such a .py file in the system via remote channels, such as: * Convincing a webmaster to download or upload the file; * Tricking users into accessing a file link via public URLs.

Required permissions

None, if public or visitor access is enabled.
If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.

User interaction

Yes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using ISO-8859-1 encoding.

Scope

Unchanged (S:U) - The attack does not cross system or privilege boundaries in general.
⚠️ Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed (S:C).

Impact

Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.
Integrity & Availability: Not directly impacted.

Recommendations

Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.
Disable rendering modes that can interpret user-uploaded content as HTML.

Timeline

Date	Event
2025-06-17	Vulnerability reported
2025-06-17	Comminuty Manager confirmed
2025-06-17	Fixed

Credits

Discovered by: @zyk2507
Reported to: The OpenList Team
Analyzed and confirmed by: @jyxjjj
Fixed by: @cxw620
Fixed in: 4.0.0-rc.4

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0-rc.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@openlist-frontend/openlist-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-50183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-18T14:41:25Z",
    "nvd_published_at": "2025-06-19T03:15:25Z",
    "severity": "MODERATE"
  },
  "details": "XSS via `.py` file containing script tag interpreted as HTML\n\n## Summary\n\nA vulnerability exists in the file preview/browsing feature of the application, where files with a `.py` extension that contain JavaScript code wrapped in `\u003cscript\u003e` tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.\n\n## Affected Versions\n\n* \u003c= 4.0.0-rc.3\n\n## PoC\n\nCreate a `.py` file with arbitrary JavaScript content wrapped in `\u003cscript\u003e` tags. For example:\n\n```javascript\n\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\n```\n\nWhen a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.\n\n--- \n\n## Attack vector\n\nAn attacker can place such a `.py` file in the system via remote channels, such as:\n* Convincing a webmaster to download or upload the file; \n* Tricking users into accessing a file link via public URLs.\n\n## Required permissions\n\n* None, if public or visitor access is enabled.\n* If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.\n\n## User interaction\n\nYes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using `ISO-8859-1` encoding.\n\n## Scope\n\n* Unchanged `(S:U)` - The attack does not cross system or privilege boundaries in general.\n* \u26a0\ufe0f Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed `(S:C)`.\n\n## Impact\n\n* Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.\n* Integrity \u0026 Availability: Not directly impacted.\n\n---\n\n## Recommendations\n\n* Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.\n* Disable rendering modes that can interpret user-uploaded content as HTML.\n\n## Timeline\n\n| Date | Event |\n|------|-------|\n| 2025-06-17 | Vulnerability reported |\n| 2025-06-17 | Comminuty Manager confirmed |\n| 2025-06-17 | Fixed |\n\n# Credits\n\n* Discovered by: @zyk2507\n* Reported to: [The OpenList Team](https://github.com/OpenListTeam)\n* Analyzed and confirmed by: @jyxjjj\n* Fixed by: @cxw620\n* Fixed in: `4.0.0-rc.4`",
  "id": "GHSA-2hw3-h8qx-hqqp",
  "modified": "2025-06-19T15:19:19Z",
  "published": "2025-06-18T14:41:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenListTeam/OpenList"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer"
}

FKIE_CVE-2025-50183

Vulnerability from fkie_nvd - Published: 2025-06-19 03:15 - Updated: 2025-06-23 20:16

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175
	security-advisories@github.com	https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in \u003cscript\u003e tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4."
    },
    {
      "lang": "es",
      "value": "OpenList Frontend es un componente de interfaz de usuario para OpenList. Antes de la versi\u00f3n 4.0.0-rc.4, exist\u00eda una vulnerabilidad en la funci\u00f3n de vista previa/exploraci\u00f3n de archivos de la aplicaci\u00f3n. En ciertos modos, los archivos con extensi\u00f3n .py que contienen c\u00f3digo JavaScript entre etiquetas "
    }
  ],
  "id": "CVE-2025-50183",
  "lastModified": "2025-06-23T20:16:59.783",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-19T03:15:25.717",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-50183 (GCVE-0-2025-50183)

GHSA-2HW3-H8QX-HQQP

Summary

Affected Versions

PoC

Attack vector

Required permissions

User interaction

Scope

Impact

Recommendations

Timeline

Credits

FKIE_CVE-2025-50183

Tags

Sightings

Nomenclature