CVE-2020-29456

Name of the Vulnerable Software and Affected Versions Papermerge versions prior to 1.5.2

Description Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application, requiring no authentication to exploit XSS. Otherwise, authentication is required.

Recommendations For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider disabling the rename, tag, upload, or create folder functions until a patch is available. Restrict access to email consumption in Papermerge to minimize the risk of exploitation. Avoid using potentially malicious documents or filenames in the affected functions until the issue is resolved.