CVE-2023-46448 in Mejiro
Summary
by MITRE • 11/02/2023
Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/16/2026
This reflected cross-site scripting vulnerability exists in the dmpop Mejiro Commit versions prior to 3096393 and represents a critical security flaw that enables remote code execution through image metadata manipulation. The vulnerability stems from insufficient input validation and sanitization of metadata fields within the image upload functionality, creating an attack vector where malicious actors can inject malicious scripts that execute in the context of other users' browsers. The flaw specifically affects the handling of metadata strings that are embedded within uploaded image files, particularly in the exif data or other metadata sections that are not properly escaped or filtered before being rendered in web pages. This type of vulnerability falls under CWE-79 which defines improper neutralization of input during web page generation, commonly known as cross-site scripting. The attack occurs when an attacker uploads an image containing malicious metadata that, when processed by the application, gets reflected back to users without proper sanitization. The vulnerability is particularly dangerous because it leverages the trust relationship between users and the application, allowing attackers to execute arbitrary code in the victim's browser session. This can lead to session hijacking, credential theft, or redirection to malicious sites, as demonstrated in the ATT&CK framework under technique T1566 for initial access through spearphishing attachments.
The technical implementation of this vulnerability exploits the fact that image metadata fields are not properly validated or escaped when displayed in web interfaces, creating a reflected XSS condition. When users view images or metadata associated with uploaded files, the malicious strings embedded in the metadata are executed as scripts in the browser context of other users who access the affected pages. The flaw is particularly insidious because it can be exploited through routine image upload functionality, making it difficult to detect and prevent through traditional security measures. The vulnerability allows attackers to inject JavaScript code that can manipulate the DOM, steal cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. This reflects a common pattern in web application security where metadata handling is overlooked during security assessments, leading to critical flaws that can be exploited through seemingly benign user interactions. The impact is amplified because image uploads are typically considered safe operations, and users often do not suspect that metadata could contain malicious code that would execute when the image is displayed or processed.
The operational impact of this vulnerability extends beyond simple script execution to encompass potential full system compromise through session manipulation and credential theft. Attackers can leverage this vulnerability to establish persistent access to user sessions, potentially gaining administrative privileges or sensitive data access within the application. The reflected nature of the XSS means that the attack payload does not need to be stored on the server, making it harder to detect through traditional logging mechanisms. This vulnerability also enables social engineering attacks where users are tricked into uploading images that contain malicious metadata, which then executes when other users view the images. The exploitability of this vulnerability is high due to the common nature of image upload functionality and the fact that many applications do not properly validate metadata content. Organizations using affected versions of dmpop Mejiro Commit should implement immediate mitigations including input validation for all metadata fields, proper HTML escaping of dynamic content, and regular security updates to address the identified vulnerability. Additionally, implementing content security policies and monitoring for unusual metadata patterns can help detect and prevent exploitation attempts. The vulnerability highlights the importance of comprehensive input validation across all data handling processes, particularly in file upload scenarios where metadata is often treated as trusted content without proper sanitization.