GHSA-2hw3-h8qx-hqqp

Suggest an improvement
Source
https://github.com/advisories/GHSA-2hw3-h8qx-hqqp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2hw3-h8qx-hqqp/GHSA-2hw3-h8qx-hqqp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2hw3-h8qx-hqqp
Aliases
Published
2025-06-18T14:41:25Z
Modified
2025-06-19T15:19:19Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
Details

XSS via .py file containing script tag interpreted as HTML

Summary

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

Affected Versions

  • <= 4.0.0-rc.3

PoC

Create a .py file with arbitrary JavaScript content wrapped in <script> tags. For example:

<script>alert(document.cookie);</script>

When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.

Attack vector

An attacker can place such a .py file in the system via remote channels, such as: * Convincing a webmaster to download or upload the file; * Tricking users into accessing a file link via public URLs.

Required permissions

  • None, if public or visitor access is enabled.
  • If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.

User interaction

Yes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using ISO-8859-1 encoding.

Scope

  • Unchanged (S:U) - The attack does not cross system or privilege boundaries in general.
  • ⚠️ Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed (S:C).

Impact

  • Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.
  • Integrity & Availability: Not directly impacted.

Recommendations

  • Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.
  • Disable rendering modes that can interpret user-uploaded content as HTML.

Timeline

| Date | Event | |------|-------| | 2025-06-17 | Vulnerability reported | | 2025-06-17 | Comminuty Manager confirmed | | 2025-06-17 | Fixed |

Credits

  • Discovered by: @zyk2507
  • Reported to: The OpenList Team
  • Analyzed and confirmed by: @jyxjjj
  • Fixed by: @cxw620
  • Fixed in: 4.0.0-rc.4
Database specific 
{
    "nvd_published_at": "2025-06-19T03:15:25Z",
    "github_reviewed_at": "2025-06-18T14:41:25Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / @openlist-frontend/openlist-frontend

Package

Name
@openlist-frontend/openlist-frontend
View open source insights on deps.dev
Purl
pkg:npm/%40openlist-frontend/openlist-frontend

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.0-rc.4

Database specific 

{
    "last_known_affected_version_range": "<= 4.0.0-rc.3"
}