GHSA-2HW3-H8QX-HQQP

Vulnerability from github – Published: 2025-06-18 14:41 – Updated: 2025-06-19 15:19
VLAI?
Summary
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
Details

XSS via .py file containing script tag interpreted as HTML

Summary

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

Affected Versions

  • <= 4.0.0-rc.3

PoC

Create a .py file with arbitrary JavaScript content wrapped in <script> tags. For example:

<script>alert(document.cookie);</script>

When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.

Attack vector

An attacker can place such a .py file in the system via remote channels, such as: * Convincing a webmaster to download or upload the file; * Tricking users into accessing a file link via public URLs.

Required permissions

  • None, if public or visitor access is enabled.
  • If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.

User interaction

Yes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using ISO-8859-1 encoding.

Scope

  • Unchanged (S:U) - The attack does not cross system or privilege boundaries in general.
  • ⚠️ Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed (S:C).

Impact

  • Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.
  • Integrity & Availability: Not directly impacted.

Recommendations

  • Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.
  • Disable rendering modes that can interpret user-uploaded content as HTML.

Timeline

Date Event
2025-06-17 Vulnerability reported
2025-06-17 Comminuty Manager confirmed
2025-06-17 Fixed

Credits

  • Discovered by: @zyk2507
  • Reported to: The OpenList Team
  • Analyzed and confirmed by: @jyxjjj
  • Fixed by: @cxw620
  • Fixed in: 4.0.0-rc.4
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0-rc.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@openlist-frontend/openlist-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-50183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-18T14:41:25Z",
    "nvd_published_at": "2025-06-19T03:15:25Z",
    "severity": "MODERATE"
  },
  "details": "XSS via `.py` file containing script tag interpreted as HTML\n\n## Summary\n\nA vulnerability exists in the file preview/browsing feature of the application, where files with a `.py` extension that contain JavaScript code wrapped in `\u003cscript\u003e` tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.\n\n## Affected Versions\n\n* \u003c= 4.0.0-rc.3\n\n## PoC\n\nCreate a `.py` file with arbitrary JavaScript content wrapped in `\u003cscript\u003e` tags. For example:\n\n```javascript\n\u003cscript\u003ealert(document.cookie);\u003c/script\u003e\n```\n\nWhen a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.\n\n--- \n\n## Attack vector\n\nAn attacker can place such a `.py` file in the system via remote channels, such as:\n* Convincing a webmaster to download or upload the file; \n* Tricking users into accessing a file link via public URLs.\n\n## Required permissions\n\n* None, if public or visitor access is enabled.\n* If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.\n\n## User interaction\n\nYes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using `ISO-8859-1` encoding.\n\n## Scope\n\n* Unchanged `(S:U)` - The attack does not cross system or privilege boundaries in general.\n* \u26a0\ufe0f Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed `(S:C)`.\n\n## Impact\n\n* Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.\n* Integrity \u0026 Availability: Not directly impacted.\n\n---\n\n## Recommendations\n\n* Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.\n* Disable rendering modes that can interpret user-uploaded content as HTML.\n\n## Timeline\n\n| Date | Event |\n|------|-------|\n| 2025-06-17 | Vulnerability reported |\n| 2025-06-17 | Comminuty Manager confirmed |\n| 2025-06-17 | Fixed |\n\n# Credits\n\n* Discovered by: @zyk2507\n* Reported to: [The OpenList Team](https://github.com/OpenListTeam)\n* Analyzed and confirmed by: @jyxjjj\n* Fixed by: @cxw620\n* Fixed in: `4.0.0-rc.4`",
  "id": "GHSA-2hw3-h8qx-hqqp",
  "modified": "2025-06-19T15:19:19Z",
  "published": "2025-06-18T14:41:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenListTeam/OpenList"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.